# Template for nix/secrets/secrets.yaml — the sops-encrypted store. # # To bootstrap: # 1. cp nix/secrets/secrets.yaml.example nix/secrets/secrets.yaml # 2. Replace the placeholder values below with real ones. # (See nix/secrets/README.md for how to generate JWT_SECRET / ANON_KEY / # SERVICE_ROLE_KEY etc.) # 3. sops -e -i nix/secrets/secrets.yaml # (requires sops + age + the recipients in .sops.yaml to be real keys) # # Once encrypted, edit in place with: sops nix/secrets/secrets.yaml # # Local dev does NOT need this file at all — process-compose.nix bakes in # dev defaults and the NixOS modules fall back to a writeText env file when # nix/secrets/secrets.yaml is absent. This file is only consumed at activation # time on real hosts. # Supabase compose stack (consumed on app-host by gebos-supabase.service) supabase_postgres_password: "replace-me-openssl-rand-hex-32" supabase_jwt_secret: "replace-me-openssl-rand-hex-32-minimum-32-chars" supabase_anon_key: "replace-me-jwt-signed-with-jwt_secret-role-anon" supabase_service_role_key: "replace-me-jwt-signed-with-jwt_secret-role-service_role" supabase_dashboard_password: "replace-me-studio-basic-auth-password" # Ingester (consumed on mqtt-ingest by gebos-ingester.service) ingester_postgres_password: "replace-me-openssl-rand-hex-32" # Postgres bootstrap (consumed on db-host by a one-shot ALTER ROLE unit) postgres_admin_password: "replace-me-openssl-rand-hex-32" # HiveMQ file-RBAC broker users (consumed on mqtt-ingest by gebos-hivemq). # PLAIN passwords (password-type defaults to PLAIN; the whole file is sops- # encrypted). The ingester will authenticate as `ingester`; `admin` is for ops. hivemq_ingester_password: "replace-me-openssl-rand-hex-32" hivemq_admin_password: "replace-me-openssl-rand-hex-32" # Shared device login (Option A) — must match mqtt_user/mqtt_password on the # senders. Per-device users (Option B) are a TODO in gebos-secrets.nix. hivemq_device_password: "replace-me-to-match-the-sender-mqtt_password"