36 lines
1.8 KiB
Plaintext
36 lines
1.8 KiB
Plaintext
# Template for nix/secrets/secrets.yaml — the sops-encrypted store.
|
|
#
|
|
# To bootstrap:
|
|
# 1. cp nix/secrets/secrets.yaml.example nix/secrets/secrets.yaml
|
|
# 2. Replace the placeholder values below with real ones.
|
|
# (See nix/secrets/README.md for how to generate JWT_SECRET / ANON_KEY /
|
|
# SERVICE_ROLE_KEY etc.)
|
|
# 3. sops -e -i nix/secrets/secrets.yaml
|
|
# (requires sops + age + the recipients in .sops.yaml to be real keys)
|
|
#
|
|
# Once encrypted, edit in place with: sops nix/secrets/secrets.yaml
|
|
#
|
|
# Local dev does NOT need this file at all — process-compose.nix bakes in
|
|
# dev defaults and the NixOS modules fall back to a writeText env file when
|
|
# nix/secrets/secrets.yaml is absent. This file is only consumed at activation
|
|
# time on real hosts.
|
|
|
|
# Supabase compose stack (consumed on app-host by gebos-supabase.service)
|
|
supabase_postgres_password: "replace-me-openssl-rand-hex-32"
|
|
supabase_jwt_secret: "replace-me-openssl-rand-hex-32-minimum-32-chars"
|
|
supabase_anon_key: "replace-me-jwt-signed-with-jwt_secret-role-anon"
|
|
supabase_service_role_key: "replace-me-jwt-signed-with-jwt_secret-role-service_role"
|
|
supabase_dashboard_password: "replace-me-studio-basic-auth-password"
|
|
|
|
# Ingester (consumed on mqtt-ingest by gebos-ingester.service)
|
|
ingester_postgres_password: "replace-me-openssl-rand-hex-32"
|
|
|
|
# Postgres bootstrap (consumed on db-host by a one-shot ALTER ROLE unit)
|
|
postgres_admin_password: "replace-me-openssl-rand-hex-32"
|
|
|
|
# HiveMQ file-RBAC broker users (consumed on mqtt-ingest by gebos-hivemq).
|
|
# PLAIN passwords (password-type defaults to PLAIN; the whole file is sops-
|
|
# encrypted). The ingester will authenticate as `ingester`; `admin` is for ops.
|
|
hivemq_ingester_password: "replace-me-openssl-rand-hex-32"
|
|
hivemq_admin_password: "replace-me-openssl-rand-hex-32"
|