diff --git a/.sops.yaml b/.sops.yaml
index 0622b71..142169d 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -9,6 +9,13 @@ keys:
# scan new hosts like this:
# $ nix-shell -p ssh-to-age --run 'ssh-keyscan buildXX.nix-community.org | ssh-to-age'
creation_rules:
+ - path_regex: terraform/secrets.yaml$
+ key_groups:
+ - age:
+ - *mic92
+ - *ryantm
+ pgp:
+ - *zimbatm
- path_regex: build01/[^/]+\.yaml$
key_groups:
- age:
diff --git a/secrets/cloudflare-api-token b/secrets/cloudflare-api-token
deleted file mode 100644
index 08e732f..0000000
Binary files a/secrets/cloudflare-api-token and /dev/null differ
diff --git a/secrets/hydra-password b/secrets/hydra-password
deleted file mode 100644
index affd737..0000000
Binary files a/secrets/hydra-password and /dev/null differ
diff --git a/secrets/terraformrc b/secrets/terraformrc
deleted file mode 100644
index 42216ea..0000000
Binary files a/secrets/terraformrc and /dev/null differ
diff --git a/shell.nix b/shell.nix
index 9fb2ee2..f7f05d4 100644
--- a/shell.nix
+++ b/shell.nix
@@ -25,13 +25,4 @@ mkShell {
sops-import-keys-hook
];
-
- # terraform cloud without the remote execution part
- TF_FORCE_LOCAL_BACKEND = "1";
- TF_CLI_CONFIG_FILE = toString ./secrets/terraformrc;
-
- shellHook = ''
- export CLOUDFLARE_API_TOKEN=$(< ./secrets/cloudflare-api-token)
- export HYDRA_PASSWORD=$(< ./secrets/hydra-password)
- '';
}
diff --git a/terraform/.envrc b/terraform/.envrc
new file mode 100644
index 0000000..074a87c
--- /dev/null
+++ b/terraform/.envrc
@@ -0,0 +1,5 @@
+source_up
+
+# terraform cloud without the remote execution part
+export TF_FORCE_LOCAL_BACKEND="1";
+eval "$("$direnv" dotenv bash <(sops -d --output-type dotenv secrets.yaml))"
diff --git a/terraform/secrets.yaml b/terraform/secrets.yaml
new file mode 100644
index 0000000..97a8fc5
--- /dev/null
+++ b/terraform/secrets.yaml
@@ -0,0 +1,47 @@
+CLOUDFLARE_API_TOKEN: ENC[AES256_GCM,data:YDe1kQGBXn1DxIAInQkZociCuZhfVMQq7KaUeI4bkZDQhXlc38E67A==,iv:z/7VchAdz6zFMOmf67801V+yAU7vk4MyITVpvzIH4U8=,tag:krlU7ogI3E7UYxKdBuLO9w==,type:str]
+HYDRA_PASSWORD: ENC[AES256_GCM,data:7o8RuTWxYY7HNbMDgl9ur0j+ehI1bf0JSA==,iv:oZ6iHGGL4xbCC54kQ+mjpYYrm3Kn2PAlhDOyX8K6VCY=,tag:hXSlJSgjQymbsriHBiMy4w==,type:str]
+TF_TOKEN_app_terraform_io: ENC[AES256_GCM,data:htOyHZEIKxwPHzgpao+m3YIhLBM6ihZdq54YVlIw9bNHup7qrwgjJbT4nX6SIrFQvGQmqbVvhoFN6+UYyfcPlOWfdiIMUgZfa2F4zMceIsArNAcXMtv7Efzy,iv:RmDIHFfPJ5hHNDwvjdb7vxTnpE6JIlbLmbFzfGo+YAc=,tag:gzFY4HOGmuT5BrrFhzBtxw==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5blVRbEU4YXNtaWRZM0ll
+ YWNacFNCZ0xUdGRzY05LaTllTnd1WWN3YVVNCmw0L09uclI3QUxiNmFBZnlEUnZs
+ VnRFWnFNRmd4UTNlWnh4QmtDWU1LZG8KLS0tIG8zQ0lFK2dHTHBhRVBibloxKzZS
+ OHZHaWY2WnZrU3Z2eUVlOVZWWTRqclUKvCRIA85XJ72u6Q+yc8mcloBPj1lIbri0
+ kXQH/X1rvwaKNhSzNzoUH64PlNQdjelgcl2eUrlDiqfvnXcVLTyfQg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU3hNODVQMnJ4d0JDeEpQ
+ Qk1nMHd2M2IvQmplNDRnZy84VHZSb1hFV2hFCm8xRTlBRUlhMEllWUhZNHh3aVVH
+ d1BpZFFSN3BDWEVSeDE1Rk01cnVtZTgKLS0tIEF4ajVVbG1xalBqRmt2cTVRZVhJ
+ cDhJajhSUWNHcXhqMW1Gcnp5c2tlS2sKsoavYL6DTdjGHg74uPow54PdY/F2rROc
+ aEtMsirY3CgbsroyjWfaHd+LszUOrY2jaN7UcNiqE1cJo6pJLyXa9g==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2022-05-15T15:01:13Z"
+ mac: ENC[AES256_GCM,data:R0A/XaigE7nSDfthabJ6TCUTxI28qeopF4GiAuwA21bgIFcEVWfR76w02alMYIp0gjWjL87KlNk+XiijeM054pDESMGGtbdVaYiQL0nqB8jH6Z8rreVt8pqnzC7I90EP0bWjQUPflCsDgMKrSOGdaLJRHGAOHnMLy8pvwaE+OXc=,iv:5Nr1OAHoTrbrQgXNg+4rVGQDdIsyGxc74TlYjsVPEBw=,tag:3LIWD8IGPY9dCdIk9BLZQg==,type:str]
+ pgp:
+ - created_at: "2022-05-15T14:38:07Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQEMA3tEuTsG48KkAQf/eIw45c+1Y0hRehsO/irm0zHcEtN+VFb1/n7yORw/cgl6
+ PByxkbHLtrKxOeMwAWS80DW+xPdigqDdZz7v+VPivDZJfBnvH9BVEgtljPd3JtR4
+ 3b/IKgKvFQ9rSDpwAcfJJYP8zlWR7wIcpw/Eu+nt08/94guvsDzda7OUUo+5G2Fj
+ IyaLejv0bXJm4Kz48zk9dsLIGLJwOok/eyHsisTSmfKBuLC/axVEgIJqyRxte3LI
+ OqKo3HMqUqdVZ1Fcarr2A8WtCtHT5hEoxDh00uGULa7OQuAYerYoKFvet1C7BrLq
+ ioPAgI2F5Ggt3c60femP0eIENzPXQLarYh0ZPmwOudJeAQiLRC4xvCvVGnH/KO/k
+ cViuRUDKHrn3vyDzumAcdFHw8civlceSuln4LI/TCM7LkfQ4JFXLl6SpznUpUDC8
+ 6iHtN1hg7DVefCJT4qj64o2qwtXIZ1JB7Y+ch4l7IA==
+ =kUzQ
+ -----END PGP MESSAGE-----
+ fp: 260353B993F8CE16752EF48C71BAF6D40C1D63D7
+ unencrypted_suffix: _unencrypted
+ version: 3.7.3