Files
Gebos/nix/secrets/secrets.yaml.example
Lars Nolden 58155dc737
check / flake-check (push) Successful in 25s
deploy / deploy (push) Successful in 48s
switch to emqx
2026-07-02 15:19:59 +02:00

40 lines
2.0 KiB
Plaintext

# Template for nix/secrets/secrets.yaml — the sops-encrypted store.
#
# To bootstrap:
# 1. cp nix/secrets/secrets.yaml.example nix/secrets/secrets.yaml
# 2. Replace the placeholder values below with real ones.
# (See nix/secrets/README.md for how to generate JWT_SECRET / ANON_KEY /
# SERVICE_ROLE_KEY etc.)
# 3. sops -e -i nix/secrets/secrets.yaml
# (requires sops + age + the recipients in .sops.yaml to be real keys)
#
# Once encrypted, edit in place with: sops nix/secrets/secrets.yaml
#
# Local dev does NOT need this file at all — process-compose.nix bakes in
# dev defaults and the NixOS modules fall back to a writeText env file when
# nix/secrets/secrets.yaml is absent. This file is only consumed at activation
# time on real hosts.
# Supabase compose stack (consumed on app-host by gebos-supabase.service)
supabase_postgres_password: "replace-me-openssl-rand-hex-32"
supabase_jwt_secret: "replace-me-openssl-rand-hex-32-minimum-32-chars"
supabase_anon_key: "replace-me-jwt-signed-with-jwt_secret-role-anon"
supabase_service_role_key: "replace-me-jwt-signed-with-jwt_secret-role-service_role"
supabase_dashboard_password: "replace-me-studio-basic-auth-password"
# Ingester (consumed on mqtt-ingest by gebos-ingester.service)
ingester_postgres_password: "replace-me-openssl-rand-hex-32"
# Postgres bootstrap (consumed on db-host by a one-shot ALTER ROLE unit)
postgres_admin_password: "replace-me-openssl-rand-hex-32"
# EMQX broker users (consumed on mqtt-ingest by gebos-emqx). Plaintext
# passwords in a bootstrap users.csv (the whole file is sops-encrypted at
# rest); no commas allowed. The ingester will authenticate as `ingester`;
# `admin` is the operational break-glass superuser.
emqx_ingester_password: "replace-me-openssl-rand-hex-32"
emqx_admin_password: "replace-me-openssl-rand-hex-32"
# Shared device login (Option A) — must match mqtt_user/mqtt_password on the
# senders. Per-device users (Option B) are a TODO in gebos-emqx.nix.
emqx_device_password: "replace-me-to-match-the-sender-mqtt_password"