MODEL/usda-vision
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dce72a6ab9380d724ba0e2306a67371dfdb5fb7e
usda-vision/secrets
History

README.md

USDA Vision Secrets Management

This directory contains encrypted secrets managed by ragenix.

Setup

  1. Generate an age key (if you don't have one):

    # Generate a new age key
age-keygen -o ~/.config/age/keys.txt

# Or convert your SSH key
ssh-to-age < ~/.ssh/id_ed25519.pub

  2. Add your public key to secrets.nix:

    {
  publicKeys = [
    "age1..." # Your age public key
    "ssh-ed25519 ..." # Or your SSH public key
  ];
}

  3. Create and encrypt environment files:

    # Create the encrypted .env file
ragenix -e secrets/env.age

# Create the encrypted .env.azure file
ragenix -e secrets/env.azure.age

Usage in Development

In the development shell:

# Edit encrypted secrets
ragenix -e secrets/env.age

# Re-key secrets after adding a new public key
ragenix -r

Usage in NixOS

The flake's NixOS module automatically handles decryption:

{
  services.usda-vision = {
    enable = true;
    secretsFile = config.age.secrets.usda-vision-env.path;
  };

  age.secrets.usda-vision-env = {
    file = ./usda-vision/secrets/env.age;
    mode = "0644";
  };
}

Files

  • secrets.nix - Public keys configuration
  • env.age - Encrypted main .env file
  • env.azure.age - Encrypted Azure OAuth configuration
  • README.md - This file

Security Notes

  • Never commit unencrypted .env files
  • Keep your age private key secure (~/.config/age/keys.txt)
  • The .age encrypted files are safe to commit to git
Reference in New Issue View Git Blame Copy Permalink