usda-vision/secrets/README.md

USDA Vision Secrets Management

This directory contains encrypted secrets managed by ragenix.

Setup

1. Generate an age key (if you don't have one):

   # Generate a new age key
   age-keygen -o ~/.config/age/keys.txt
   
   # Or convert your SSH key
   ssh-to-age < ~/.ssh/id_ed25519.pub
   

2. Add your public key to secrets.nix:

   {
     publicKeys = [
       "age1..." # Your age public key
       "ssh-ed25519 ..." # Or your SSH public key
     ];
   }
   

3. Create and encrypt environment files:

   # Create the encrypted .env file
   ragenix -e secrets/env.age
   
   # Create the encrypted .env.azure file
   ragenix -e secrets/env.azure.age
   

Usage in Development

In the development shell:

# Edit encrypted secrets
ragenix -e secrets/env.age

# Re-key secrets after adding a new public key
ragenix -r

Usage in NixOS

The flake's NixOS module automatically handles decryption:

{
  services.usda-vision = {
    enable = true;
    secretsFile = config.age.secrets.usda-vision-env.path;
  };

  age.secrets.usda-vision-env = {
    file = ./usda-vision/secrets/env.age;
    mode = "0644";
  };
}

Files

• secrets.nix - Public keys configuration
• env.age - Encrypted main .env file
• env.azure.age - Encrypted Azure OAuth configuration
• README.md - This file

Security Notes

• Never commit unencrypted .env files
• Keep your age private key secure (~/.config/age/keys.txt)
• The .age encrypted files are safe to commit to git