2dd5ed5877
check / flake-check (pull_request) Has been cancelled
- sops-nix flake input, age + ssh-to-age in devShell, .sops.yaml with per-host recipients (real pubkeys still TODO until lars bootstraps). - nix/modules/gebos-secrets.nix centralises per-host secret subsets and renders /run/secrets/gebos-env via sops.templates. Service modules now read EnvironmentFile= from services.gebos.secrets.envFile instead of the placeholder /etc/gebos/secrets.env. - Falls back to a writeText env file when nix/secrets/secrets.yaml is absent, so `nix flake check` and first-boot eval work pre-bootstrap. - nix/secrets/README.md walks through age key + sops bootstrap. - Dev defaults: ingester binary falls back to local tcp/postgres URLs, process-compose adds mosquitto and wires GEBOS_MQTT_BROKER / GEBOS_POSTGRES_URL / GEBOS_POSTGRES_PASSWORD + VITE_SUPABASE_URL / VITE_SUPABASE_ANON_KEY, frontend defaults to 127.0.0.1:8000 in DEV. Refs #23 (comment #110).
30 lines
1.4 KiB
Plaintext
30 lines
1.4 KiB
Plaintext
# Template for nix/secrets/secrets.yaml — the sops-encrypted store.
|
|
#
|
|
# To bootstrap:
|
|
# 1. cp nix/secrets/secrets.yaml.example nix/secrets/secrets.yaml
|
|
# 2. Replace the placeholder values below with real ones.
|
|
# (See nix/secrets/README.md for how to generate JWT_SECRET / ANON_KEY /
|
|
# SERVICE_ROLE_KEY etc.)
|
|
# 3. sops -e -i nix/secrets/secrets.yaml
|
|
# (requires sops + age + the recipients in .sops.yaml to be real keys)
|
|
#
|
|
# Once encrypted, edit in place with: sops nix/secrets/secrets.yaml
|
|
#
|
|
# Local dev does NOT need this file at all — process-compose.nix bakes in
|
|
# dev defaults and the NixOS modules fall back to a writeText env file when
|
|
# nix/secrets/secrets.yaml is absent. This file is only consumed at activation
|
|
# time on real hosts.
|
|
|
|
# Supabase compose stack (consumed on app-host by gebos-supabase.service)
|
|
supabase_postgres_password: "replace-me-openssl-rand-hex-32"
|
|
supabase_jwt_secret: "replace-me-openssl-rand-hex-32-minimum-32-chars"
|
|
supabase_anon_key: "replace-me-jwt-signed-with-jwt_secret-role-anon"
|
|
supabase_service_role_key: "replace-me-jwt-signed-with-jwt_secret-role-service_role"
|
|
supabase_dashboard_password: "replace-me-studio-basic-auth-password"
|
|
|
|
# Ingester (consumed on mqtt-ingest by gebos-ingester.service)
|
|
ingester_postgres_password: "replace-me-openssl-rand-hex-32"
|
|
|
|
# Postgres bootstrap (consumed on db-host by a one-shot ALTER ROLE unit)
|
|
postgres_admin_password: "replace-me-openssl-rand-hex-32"
|