Figure out what to do with sensitive files

[chreekat]

The data I consider sensitive is:

• hardware ids in /stackage-builder/packet/system.nix
• public ssh keys in /stackage-builder/packet/admin.nix
• public ssh keys in stackage-builder/stackage-curator.nix
• encrypted sops file /stackage-keyring.gpg.enc
• encrypted sops file /stackage.sops.yaml

I don't think an attacker could do anything with any of this, but it would not be prudent to give all of it away for free.

• hardware ids are usually something you only know with local access, possibly useful for phishing
• public ssh keys identify admins, possibly useful for phishing or targeting
• sops files are encrypted with a symmetric algo and should be kept "reasonably private"

[chreekat]

I decided on this solution:

This repo stays public with no secrets.

A new, private repo will include the (encrypted) secrets.

The new repo will use this repo as a flake input!

Thus the new repo is upstream of this one (no accidental pushes) but doesn't have any interesting data besides the secrets.