76 lines
1.6 KiB
Markdown
76 lines
1.6 KiB
Markdown
# USDA Vision Secrets Management
|
|
|
|
This directory contains encrypted secrets managed by [ragenix](https://github.com/yaxitech/ragenix).
|
|
|
|
## Setup
|
|
|
|
1. **Generate an age key** (if you don't have one):
|
|
```bash
|
|
# Generate a new age key
|
|
age-keygen -o ~/.config/age/keys.txt
|
|
|
|
# Or convert your SSH key
|
|
ssh-to-age < ~/.ssh/id_ed25519.pub
|
|
```
|
|
|
|
2. **Add your public key to `secrets.nix`**:
|
|
```nix
|
|
{
|
|
publicKeys = [
|
|
"age1..." # Your age public key
|
|
"ssh-ed25519 ..." # Or your SSH public key
|
|
];
|
|
}
|
|
```
|
|
|
|
3. **Create and encrypt environment files**:
|
|
```bash
|
|
# Create the encrypted .env file
|
|
ragenix -e secrets/env.age
|
|
|
|
# Create the encrypted .env.azure file
|
|
ragenix -e secrets/env.azure.age
|
|
```
|
|
|
|
## Usage in Development
|
|
|
|
In the development shell:
|
|
```bash
|
|
# Edit encrypted secrets
|
|
ragenix -e secrets/env.age
|
|
|
|
# Re-key secrets after adding a new public key
|
|
ragenix -r
|
|
```
|
|
|
|
## Usage in NixOS
|
|
|
|
The flake's NixOS module automatically handles decryption:
|
|
|
|
```nix
|
|
{
|
|
services.usda-vision = {
|
|
enable = true;
|
|
secretsFile = config.age.secrets.usda-vision-env.path;
|
|
};
|
|
|
|
age.secrets.usda-vision-env = {
|
|
file = ./usda-vision/secrets/env.age;
|
|
mode = "0644";
|
|
};
|
|
}
|
|
```
|
|
|
|
## Files
|
|
|
|
- `secrets.nix` - Public keys configuration
|
|
- `env.age` - Encrypted main .env file
|
|
- `env.azure.age` - Encrypted Azure OAuth configuration
|
|
- `README.md` - This file
|
|
|
|
## Security Notes
|
|
|
|
- Never commit unencrypted `.env` files
|
|
- Keep your age private key secure (`~/.config/age/keys.txt`)
|
|
- The `.age` encrypted files are safe to commit to git
|