# USDA Vision Secrets Management

This directory contains encrypted secrets managed by [ragenix](https://github.com/yaxitech/ragenix).

## Setup

1. **Generate an age key** (if you don't have one):
   ```bash
   # Generate a new age key
   age-keygen -o ~/.config/age/keys.txt
   
   # Or convert your SSH key
   ssh-to-age < ~/.ssh/id_ed25519.pub
   ```

2. **Add your public key to `secrets.nix`**:
   ```nix
   {
     publicKeys = [
       "age1..." # Your age public key
       "ssh-ed25519 ..." # Or your SSH public key
     ];
   }
   ```

3. **Create and encrypt environment files**:
   ```bash
   # Create the encrypted .env file
   ragenix -e secrets/env.age
   
   # Create the encrypted .env.azure file
   ragenix -e secrets/env.azure.age
   ```

## Usage in Development

In the development shell:
```bash
# Edit encrypted secrets
ragenix -e secrets/env.age

# Re-key secrets after adding a new public key
ragenix -r
```

## Usage in NixOS

The flake's NixOS module automatically handles decryption:

```nix
{
  services.usda-vision = {
    enable = true;
    secretsFile = config.age.secrets.usda-vision-env.path;
  };

  age.secrets.usda-vision-env = {
    file = ./usda-vision/secrets/env.age;
    mode = "0644";
  };
}
```

## Files

- `secrets.nix` - Public keys configuration
- `env.age` - Encrypted main .env file
- `env.azure.age` - Encrypted Azure OAuth configuration
- `README.md` - This file

## Security Notes

- Never commit unencrypted `.env` files
- Keep your age private key secure (`~/.config/age/keys.txt`)
- The `.age` encrypted files are safe to commit to git