feat: Add flake and ragenix package generation and dev environment
This commit is contained in:
11
secrets/.gitignore
vendored
Normal file
11
secrets/.gitignore
vendored
Normal file
@@ -0,0 +1,11 @@
|
||||
# Ignore unencrypted secrets
|
||||
*.env
|
||||
!*.env.example
|
||||
.env.*
|
||||
!.env.*.example
|
||||
|
||||
# Ignore age private keys (if accidentally placed here)
|
||||
*.txt
|
||||
|
||||
# Keep encrypted files
|
||||
!*.age
|
||||
75
secrets/README.md
Normal file
75
secrets/README.md
Normal file
@@ -0,0 +1,75 @@
|
||||
# USDA Vision Secrets Management
|
||||
|
||||
This directory contains encrypted secrets managed by [ragenix](https://github.com/yaxitech/ragenix).
|
||||
|
||||
## Setup
|
||||
|
||||
1. **Generate an age key** (if you don't have one):
|
||||
```bash
|
||||
# Generate a new age key
|
||||
age-keygen -o ~/.config/age/keys.txt
|
||||
|
||||
# Or convert your SSH key
|
||||
ssh-to-age < ~/.ssh/id_ed25519.pub
|
||||
```
|
||||
|
||||
2. **Add your public key to `secrets.nix`**:
|
||||
```nix
|
||||
{
|
||||
publicKeys = [
|
||||
"age1..." # Your age public key
|
||||
"ssh-ed25519 ..." # Or your SSH public key
|
||||
];
|
||||
}
|
||||
```
|
||||
|
||||
3. **Create and encrypt environment files**:
|
||||
```bash
|
||||
# Create the encrypted .env file
|
||||
ragenix -e secrets/env.age
|
||||
|
||||
# Create the encrypted .env.azure file
|
||||
ragenix -e secrets/env.azure.age
|
||||
```
|
||||
|
||||
## Usage in Development
|
||||
|
||||
In the development shell:
|
||||
```bash
|
||||
# Edit encrypted secrets
|
||||
ragenix -e secrets/env.age
|
||||
|
||||
# Re-key secrets after adding a new public key
|
||||
ragenix -r
|
||||
```
|
||||
|
||||
## Usage in NixOS
|
||||
|
||||
The flake's NixOS module automatically handles decryption:
|
||||
|
||||
```nix
|
||||
{
|
||||
services.usda-vision = {
|
||||
enable = true;
|
||||
secretsFile = config.age.secrets.usda-vision-env.path;
|
||||
};
|
||||
|
||||
age.secrets.usda-vision-env = {
|
||||
file = ./usda-vision/secrets/env.age;
|
||||
mode = "0644";
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
## Files
|
||||
|
||||
- `secrets.nix` - Public keys configuration
|
||||
- `env.age` - Encrypted main .env file
|
||||
- `env.azure.age` - Encrypted Azure OAuth configuration
|
||||
- `README.md` - This file
|
||||
|
||||
## Security Notes
|
||||
|
||||
- Never commit unencrypted `.env` files
|
||||
- Keep your age private key secure (`~/.config/age/keys.txt`)
|
||||
- The `.age` encrypted files are safe to commit to git
|
||||
14
secrets/secrets.nix
Normal file
14
secrets/secrets.nix
Normal file
@@ -0,0 +1,14 @@
|
||||
# Public keys for secret encryption
|
||||
# Add your age or SSH public keys here
|
||||
{
|
||||
publicKeys = [
|
||||
# Example age public key:
|
||||
# "age1qyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqs3ekg8p"
|
||||
|
||||
# Example SSH public key (ed25519):
|
||||
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... user@host"
|
||||
|
||||
# Add your keys below:
|
||||
# TODO: Add your age or SSH public keys
|
||||
];
|
||||
}
|
||||
Reference in New Issue
Block a user