40 lines
2.0 KiB
Plaintext
40 lines
2.0 KiB
Plaintext
# Template for nix/secrets/secrets.yaml — the sops-encrypted store.
|
|
#
|
|
# To bootstrap:
|
|
# 1. cp nix/secrets/secrets.yaml.example nix/secrets/secrets.yaml
|
|
# 2. Replace the placeholder values below with real ones.
|
|
# (See nix/secrets/README.md for how to generate JWT_SECRET / ANON_KEY /
|
|
# SERVICE_ROLE_KEY etc.)
|
|
# 3. sops -e -i nix/secrets/secrets.yaml
|
|
# (requires sops + age + the recipients in .sops.yaml to be real keys)
|
|
#
|
|
# Once encrypted, edit in place with: sops nix/secrets/secrets.yaml
|
|
#
|
|
# Local dev does NOT need this file at all — process-compose.nix bakes in
|
|
# dev defaults and the NixOS modules fall back to a writeText env file when
|
|
# nix/secrets/secrets.yaml is absent. This file is only consumed at activation
|
|
# time on real hosts.
|
|
|
|
# Supabase compose stack (consumed on app-host by gebos-supabase.service)
|
|
supabase_postgres_password: "replace-me-openssl-rand-hex-32"
|
|
supabase_jwt_secret: "replace-me-openssl-rand-hex-32-minimum-32-chars"
|
|
supabase_anon_key: "replace-me-jwt-signed-with-jwt_secret-role-anon"
|
|
supabase_service_role_key: "replace-me-jwt-signed-with-jwt_secret-role-service_role"
|
|
supabase_dashboard_password: "replace-me-studio-basic-auth-password"
|
|
|
|
# Ingester (consumed on mqtt-ingest by gebos-ingester.service)
|
|
ingester_postgres_password: "replace-me-openssl-rand-hex-32"
|
|
|
|
# Postgres bootstrap (consumed on db-host by a one-shot ALTER ROLE unit)
|
|
postgres_admin_password: "replace-me-openssl-rand-hex-32"
|
|
|
|
# EMQX broker users (consumed on mqtt-ingest by gebos-emqx). Plaintext
|
|
# passwords in a bootstrap users.csv (the whole file is sops-encrypted at
|
|
# rest); no commas allowed. The ingester will authenticate as `ingester`;
|
|
# `admin` is the operational break-glass superuser.
|
|
emqx_ingester_password: "replace-me-openssl-rand-hex-32"
|
|
emqx_admin_password: "replace-me-openssl-rand-hex-32"
|
|
# Shared device login (Option A) — must match mqtt_user/mqtt_password on the
|
|
# senders. Per-device users (Option B) are a TODO in gebos-emqx.nix.
|
|
emqx_device_password: "replace-me-to-match-the-sender-mqtt_password"
|