feat: initial commit

secrets/.env.example

@@ -0,0 +1,6 @@
+INFISICAL_CLIENT_SECRET=""
+INFISICAL_CLIENT_ID=""
+INFISICAL_PROJECT_ID=""
+
+TEMPLATE_PATH="./secrets.eta"
+OUTPUT_PATH="../environments/production/manifests/secrets.pp"

secrets/README.md

@@ -0,0 +1,10 @@
+# secrets
+
+You can run this script to regen the secrets which live in environments/production/manifests/secrets.pp:
+```shell
+./deno-src/deno run -A ./apply-secrets.t
+```
+
+You may have to run `infisical login -i` first, then `infisical init` to get things going.
+
+Sometimes it will timeout, just rerun

secrets/SECRETS.md

@@ -0,0 +1,33 @@
+# secrets listing
+
+## PostgreSQL
+- $pg_setup_email: any email
+- $pg_setup_password: any password
+
+- $pg_oauth2_client_id: get from Authentik
+- $pg_oauth2_client_secret: get from Authentik
+- https://docs.goauthentik.io/integrations/services/pgadmin/
+
+## Infisical
+- $infisical_auth_secret: b64(randBytes(32))
+- $infisical_encryption_key: hex(randBytes(32))
+
+## ELK
+### Kibana
+- $kibana_encryption_key: hex(randBytes(64)) 
+
+## GarageHQ
+- $garage_rpc_secret: hex(randBytes(64)) 
+- $garage_metrics_token: b64(randBytes(32)) 
+- $garage_admin_token: b64(randBytes(32)) 
+
+## Authentik
+- $authentik_pg_pass: hex(randBytes(48)) 
+- $authentik_secret_key = hex(randBytes(80)) 
+- $authentik_rac_token: get from Authentik after deploying RAC outpost
+
+## OCIS
+TODO: Properly template this file
+
+Fix:
+Run `./ocis init`

secrets/apply-secrets.ts

@@ -0,0 +1,51 @@
+#!/usr/bin/env deno
+
+import { Eta } from "https://deno.land/x/eta@v3.1.0/src/index.ts"
+import { InfisicalSDK } from "npm:@infisical/sdk"
+
+import { Logger } from "jsr:@deno-library/logger";
+const logger = new Logger();
+
+import "jsr:@std/dotenv/load";
+
+logger.info("Starting up Infisical SDK")
+
+const client = new InfisicalSDK({
+  siteUrl: "https://secrets.amy.mov"
+});
+
+logger.debug("Authenticating...")
+
+await client.auth().universalAuth.login({
+  clientId: Deno.env.get("INFISICAL_CLIENT_ID") || "",
+  clientSecret: Deno.env.get("INFISICAL_CLIENT_SECRET") || "",
+})
+
+const projectId = Deno.env.get("INFISICAL_PROJECT_ID") || ""
+logger.debug(`Authenticated! Fetching secrets for project ${projectId}`)
+
+const allSecrets = await client.secrets().listSecrets({
+  environment: "prod",
+  projectId,
+  recursive: true
+});
+
+logger.info(`Got ${allSecrets.secrets.length} secrets`)
+
+const etaSecrets = Object.fromEntries(allSecrets.secrets.map(s => [s.secretKey, s.secretValue]))
+
+const DEFAULT_INPUT_PATH = "./secrets.eta"
+const DEFAULT_OUTPUT_PATH = "./secrets.pp"
+
+const inputPath = Deno.env.get("TEMPLATE_PATH") || DEFAULT_INPUT_PATH
+const outputPath = Deno.env.get("OUTPUT_PATH") || DEFAULT_OUTPUT_PATH
+
+logger.info(`Template: ${inputPath}, Output: ${outputPath}. Rendering`)
+
+const eta = new Eta({ varName: "it" })
+const src = Deno.readTextFileSync(inputPath)
+const res = eta.renderString(src, { secrets: etaSecrets, toLower: (s: string) => s.toLowerCase() })
+
+Deno.writeTextFileSync(outputPath, res)
+
+logger.info("Done!")

secrets/deno-src/source.txt

@@ -0,0 +1 @@
+https://github.com/denoland/deno/releases/download/v2.2.6/deno-x86_64-unknown-linux-gnu.zip

secrets/secrets.eta

@@ -0,0 +1,3 @@
+<% Object.keys(it.secrets).forEach(function(prop) { 
+  %> $<%= it.toLower(prop) %> = "<%= it.secrets[prop] %>" <%= '\n' %> <% 
+}) %>