feat: switch to infisical

.envrc

@@ -1,2 +1,2 @@
-nix_direnv_watch_file "./nix/env.nix" "./nix/fmt.nix" "./nix/packages.nix" "./nix/shells.nix" "./nix/pre-commit.nix" "./flake.nix" "./parse.nix"
+watch_file "./nix/env.nix" "./nix/fmt.nix" "./nix/packages.nix" "./nix/shells.nix" "./nix/pre-commit.nix" "./flake.nix" "./parse.nix"
 use flake

.github/workflows/deployment.yaml

@@ -6,11 +6,13 @@ on:
 jobs:
   precommit:
     name: Pre-commit Check
-    runs-on: ubuntu-22.04
+    runs-on:
+      - nscloud-ubuntu-22.04-amd64-4x8-with-cache
+      - nscloud-cache-size-50gb
+      - nscloud-cache-tag-sulfoxide-boron-nix-store-cache
+      - nscloud-git-mirror-1gb
     steps:
-      - uses: actions/checkout@v3
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: AtomiCloud/actions.setup-nix@v1.2.1
       - name: Run pre-commit
         run: nix develop .#ci -c ./scripts/ci/pre-commit.sh
 
@@ -19,12 +21,14 @@ jobs:
     needs:
       - precommit
     if: github.ref == 'refs/heads/main'
-    runs-on: ubuntu-latest
+    runs-on:
+      - nscloud-ubuntu-22.04-amd64-4x8-with-cache
+      - nscloud-cache-size-50gb
+      - nscloud-cache-tag-sulfoxide-boron-releaser-nix-store-cache
+      - nscloud-git-mirror-1gb
     steps:
-      - uses: actions/checkout@v3
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: rlespinasse/github-slug-action@v3.x
+      - uses: AtomiCloud/actions.setup-nix@v1.2.1
+      - uses: AtomiCloud/actions.cache-npm@v1.0.1
       - name: Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

chart/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: sulfoxide-bromine
   repository: oci://ghcr.io/atomicloud/sulfoxide.bromine
-  version: 1.2.3
-digest: sha256:f2fdc64db17b1f198bada642722a49910a615657a72622c2ed87e0b1683d8be6
-generated: "2023-10-21T00:49:01.799537+08:00"
+  version: 1.5.1
+digest: sha256:4ec580b8421d83638af37fe60a573a5bef09c0eb053dad1820a5e15c85492706
+generated: "2024-08-10T20:19:55.304944+08:00"

chart/Chart.yaml

@@ -3,8 +3,8 @@ name: sulfoxide-boron
 description: Helm chart to deploy internal ingress controller with VPN access to internal services using cloudflared
 type: application
 version: 1.9.1
-appVersion: "2023.10.0"
+appVersion: "2024.8.2"
 dependencies:
   - name: sulfoxide-bromine
-    version: 1.2.3
+    version: 1.5.1
     repository: oci://ghcr.io/atomicloud/sulfoxide.bromine

chart/README.md

@@ -1,30 +1,30 @@
 # sulfoxide-boron
 
-![Version: 1.9.1](https://img.shields.io/badge/Version-1.9.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2023.10.0](https://img.shields.io/badge/AppVersion-2023.10.0-informational?style=flat-square)
+![Version: 1.9.1](https://img.shields.io/badge/Version-1.9.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2024.8.2](https://img.shields.io/badge/AppVersion-2024.8.2-informational?style=flat-square)
 
 Helm chart to deploy internal ingress controller with VPN access to internal services using cloudflared
 
 ## Requirements
 
 | Repository | Name | Version |
 |------------|------|---------|
-| oci://ghcr.io/atomicloud/sulfoxide.bromine | sulfoxide-bromine | 1.2.3 |
+| oci://ghcr.io/atomicloud/sulfoxide.bromine | sulfoxide-bromine | 1.5.1 |
 
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | affinity |
-| auth | object | `{"external":{"enable":true,"policy":{"creation":"Owner","deletion":"Retain"},"refreshInterval":"1h","remoteSecretName":"OPAL_RUBY_INGRESS_TOKEN","secretStore":{"kind":"SecretStore","name":"doppler-boron"}},"internal":{"enable":false,"token":""},"secretName":"cloudflare-tunnel-token"}` | Cloudflare Tunnel Token |
-| auth.external | object | `{"enable":true,"policy":{"creation":"Owner","deletion":"Retain"},"refreshInterval":"1h","remoteSecretName":"OPAL_RUBY_INGRESS_TOKEN","secretStore":{"kind":"SecretStore","name":"doppler-boron"}}` | Use external secret |
+| auth | object | `{"external":{"enable":true,"policy":{"creation":"Owner","deletion":"Retain"},"refreshInterval":"1h","remoteSecretName":"OPAL_RUBY_INGRESS_TOKEN","secretStore":{"kind":"SecretStore","name":"boron"}},"internal":{"enable":false,"token":""},"secretName":"cloudflare-tunnel-token"}` | Cloudflare Tunnel Token |
+| auth.external | object | `{"enable":true,"policy":{"creation":"Owner","deletion":"Retain"},"refreshInterval":"1h","remoteSecretName":"OPAL_RUBY_INGRESS_TOKEN","secretStore":{"kind":"SecretStore","name":"boron"}}` | Use external secret |
 | auth.external.enable | bool | `true` | Enable the use of external secret |
 | auth.external.policy | object | `{"creation":"Owner","deletion":"Retain"}` | Secret policy |
 | auth.external.policy.creation | string | `"Owner"` | Creation policy |
 | auth.external.policy.deletion | string | `"Retain"` | Deletion policy |
 | auth.external.refreshInterval | string | `"1h"` | Refresh Rate |
 | auth.external.remoteSecretName | string | `"OPAL_RUBY_INGRESS_TOKEN"` | Remote Secret Reference name |
 | auth.external.secretStore.kind | string | `"SecretStore"` | Kind of the Secret Store: `ClusterSecretStore` or `SecretStore` |
-| auth.external.secretStore.name | string | `"doppler-boron"` | Name of the Secret Store |
+| auth.external.secretStore.name | string | `"boron"` | Name of the Secret Store |
 | auth.internal | object | `{"enable":false,"token":""}` | Secret directly inlined in value files |
 | auth.internal.enable | bool | `false` | Use hard coded secret |
 | auth.internal.token | string | `""` | Hard coded Cloudflare token |
@@ -46,11 +46,11 @@ Helm chart to deploy internal ingress controller with VPN access to internal ser
 | secretAnnotation | object | `{"argocd.argoproj.io/sync-wave":"-2"}` | Secret Annotations (External Secrets) to control synchronization |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":10000}` | Generate security Context |
 | serviceTree | object | `{"layer":"1","module":"tunnel","platform":"sulfoxide","service":"boron"}` | AtomiCloud Service Tree. See [ServiceTree](https://atomicloud.larksuite.com/wiki/OkfJwTXGFiMJkrk6W3RuwRrZs64?theme=DARK&contentTheme=DARK#MHw5d76uDo2tBLx86cduFQMRsBb) |
-| sulfoxide-bromine | object | `{"annotations":{"argocd.argoproj.io/sync-wave":"-3"},"rootSecret":{"ref":"SULFOXIDE_BORON"},"storeName":"doppler-boron"}` | Create SecretStore via secret of secrets pattern |
-| sulfoxide-bromine.rootSecret | object | `{"ref":"SULFOXIDE_BORON"}` | Secret of Secrets reference |
-| sulfoxide-bromine.rootSecret.ref | string | `"SULFOXIDE_BORON"` | DOPPLER Token Reference |
-| sulfoxide-bromine.storeName | string | `"doppler-boron"` | Store name to create |
+| sulfoxide-bromine | object | `{"annotations":{"argocd.argoproj.io/sync-wave":"-3"},"rootSecret":{"ref":{"clientId":"SULFOXIDE_BORON_CLIENT_ID","clientSecret":"SULFOXIDE_BORON_CLIENT_SECRET"}},"serviceTree":{"platform":"sulfoxide","service":"boron"},"storeName":"boron"}` | Create SecretStore via secret of secrets pattern |
+| sulfoxide-bromine.rootSecret | object | `{"ref":{"clientId":"SULFOXIDE_BORON_CLIENT_ID","clientSecret":"SULFOXIDE_BORON_CLIENT_SECRET"}}` | Secret of Secrets reference |
+| sulfoxide-bromine.rootSecret.ref | object | `{"clientId":"SULFOXIDE_BORON_CLIENT_ID","clientSecret":"SULFOXIDE_BORON_CLIENT_SECRET"}` | DOPPLER Token Reference |
+| sulfoxide-bromine.storeName | string | `"boron"` | Store name to create |
 | tolerations | list | `[]` | toleration |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.1](https://github.com/norwoodj/helm-docs/releases/v1.11.1)
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

chart/values.entei.onyx.yaml

@@ -11,6 +11,11 @@ auth:
     refreshInterval: 1h
     remoteSecretName: ONYX_JADE_INGRESS_TOKEN
 
+sulfoxide-bromine:
+  serviceTree:
+    landscape: entei
+    cluster: onyx
+
 replicaCount: 1
 
 autoscaling:

chart/values.entei.opal.yaml

@@ -11,6 +11,11 @@ auth:
     refreshInterval: 1h
     remoteSecretName: OPAL_RUBY_INGRESS_TOKEN
 
+sulfoxide-bromine:
+  serviceTree:
+    landscape: entei
+    cluster: opal
+
 replicaCount: 1
 
 autoscaling:

chart/values.entei.ruby.yaml

@@ -11,6 +11,11 @@ auth:
     refreshInterval: 1h
     remoteSecretName: OPAL_RUBY_INGRESS_TOKEN
 
+sulfoxide-bromine:
+  serviceTree:
+    landscape: entei
+    cluster: ruby
+
 replicaCount: 1
 
 autoscaling:

chart/values.suicune.opal-ruby.yaml

@@ -4,6 +4,9 @@ serviceTree:
 
 # -- Create SecretStore via secret of secrets pattern
 sulfoxide-bromine:
+  serviceTree:
+    landscape: suicune
+    cluster: opal-ruby
   annotations:
     # -- Helm hook to run
     helm.sh/hook: pre-install,pre-upgrade

chart/values.yaml

@@ -7,14 +7,19 @@ serviceTree:
 
 # -- Create SecretStore via secret of secrets pattern
 sulfoxide-bromine:
+  serviceTree:
+    platform: sulfoxide
+    service: boron
   annotations:
     argocd.argoproj.io/sync-wave: "-3"
   # -- Store name to create
-  storeName: doppler-boron
+  storeName: boron
   # -- Secret of Secrets reference
   rootSecret:
     # -- DOPPLER Token Reference
-    ref: "SULFOXIDE_BORON"
+    ref:
+      clientId: SULFOXIDE_BORON_CLIENT_ID
+      clientSecret: SULFOXIDE_BORON_CLIENT_SECRET
 
 
 # -- Secret Annotations (External Secrets) to control synchronization
@@ -50,7 +55,7 @@ auth:
     # Secret Store to reference
     secretStore:
       # -- Name of the Secret Store
-      name: doppler-boron
+      name: boron
 
       # -- Kind of the Secret Store: `ClusterSecretStore` or `SecretStore`
       kind: SecretStore