This PR brings in some new features to up our security game:
Login modes. A login profile with strict security (default) for cloud deployments and a more permissive one for local testing.
Secrets management. Automated generation, import, encryption and deployment of secrets. Automatic secret decryption and mounting on a tmpfs on deployment. Easy secret rotation. Easy testing with automated generation of test secrets.
Fully reproducible deployments. Secrets get encrypted (strong encryption), stored in the repo and referenced from Nix expressions just like any other config items. This way the repo becomes the single source of truth: all you need to recreate a live deployment is in the repo, so re-instantiating the same NixOS config results in a fully-functional copy of your live deployment---except for live data (Odoo DB and file store), of course.
This PR brings in some new features to up our security game:
tmpfs
on deployment. Easy secret rotation. Easy testing with automated generation of test secrets.