From 0ed4008802f09fc035f1bbd4a2d2867c4a89f10f Mon Sep 17 00:00:00 2001 From: Artyom Kazak Date: Mon, 7 Aug 2023 00:35:48 +0200 Subject: [PATCH] Production secrets will be in DO for now --- .env.production.enc | 20 -------------------- .github/workflows/export.yml | 1 + docs/secrets.md | 7 ++++--- 3 files changed, 5 insertions(+), 23 deletions(-) delete mode 100644 .env.production.enc diff --git a/.env.production.enc b/.env.production.enc deleted file mode 100644 index 55f026b..0000000 --- a/.env.production.enc +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:SdjIhZjF2dtF2N3sYmTiS9fCdQtvmwI/J1Glk6uxBgtA5TiXyHd0mlUPVHsNgccFZ75BSse1x+cHCDnYaDrdZvT/o8KhNofUj+fH+SZWu2JvD2g5BumkwSBo2uPtLvLIssDGa5CdScfR4+ueeIWzgLRtIA==,iv:v+OmTW0xbC7rbxFJQw7IkIurPt7L8VpJDUbkFyLdjRs=,tag:8TjgiLhl+3NbxbOWBxzZWg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1ejkeqvu8cmsvtrphrf3fexfdqrh97v48nq86u3k8untpv226ayqsxz6tu0", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMVnJSb2hiQkk0WWZtbGx4\nTjBIaGZzWWd4RmJhdldlNlkzNjZrTDB1VWtFCnZBQWJZZU5OcG45UkdhMDBQMFJw\ndmdVMUdZR2FvRWphalF0U1M0c3AyVXMKLS0tIDlTRjJxNXI0MThnQzRQamJjVXFE\ndDc3K1ZkTUFxZXY3MjVDYjg0TWl4WE0KPgJGGMFYgatvJkpfoKhiEu4hjtoaGfKz\n6yGwVU+FMqcbXKGFhSSmWosAi40PIgywIjz/l1jygsXU3qsULzyBow==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2023-08-06T21:44:43Z", - "mac": "ENC[AES256_GCM,data:c0UCvlJuSeASABPJBC60H+/YQKO6sao6pX0XvrNSbe+qbBquLpYWd4sFRBi/j/G+Tme5AOOuoNNb9YV5H7Ty6nPCnLHXLlupHDxSBeVrL/LcxSido7m9edX1L8b8qpv3zyH44QJUgdgx1RhF0Qe8/IFPwhyeRFt/pWvc89mvv3w=,iv:nl9ZQSF0bHe9qtOJq+NVqr8082y8AYjiPOlbIRo5d/g=,tag:bQBzPQmauq+MZeD+JGKg5Q==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" - } -} \ No newline at end of file diff --git a/.github/workflows/export.yml b/.github/workflows/export.yml index 01b0fef..6cc4f20 100644 --- a/.github/workflows/export.yml +++ b/.github/workflows/export.yml @@ -33,6 +33,7 @@ jobs: - name: Use .env.development # NB: copying instead of symlinking due to https://github.com/vercel/next.js/issues/53086 + # NB 2: we don't decrypt secrets here on purpose — don't want them to potentially leak out in PR build logs run: cp .env.development .env - name: Install dependencies diff --git a/docs/secrets.md b/docs/secrets.md index d39cbcd..39b7c5b 100644 --- a/docs/secrets.md +++ b/docs/secrets.md @@ -2,11 +2,13 @@ ## Overview -Most values in `.env.development` and `.env.production` aren't secret. The ones that are secret, live in `*.enc` files encrypted with Sops. +Most values in `.env.development` aren't secret. The ones that are secret, live in `*.enc` files encrypted with Sops. Some features (eg. Beeminder integration) can only be tested in development mode if you have access to secrets. However, the app should remain runnable in development even without secrets. -The primary reason for using Sops is that eg. development secrets don't belong in DigitalOcean, but they should live somewhere instead of being copied between developers' machines. So we use Sops. Secrets that relate to DigitalOcean infrastructure, like database passwords, live in DigitalOcean settings; else is in Sops. +The primary reason for using Sops is that eg. development secrets don't belong in DigitalOcean, but they should live somewhere instead of being copied between developers' machines. So we use Sops. + +Production secrets still live in DigitalOcean because there is no particularly easy way to add Sops to the DigitalOcean app builder. ## Setting up sops @@ -27,7 +29,6 @@ age-keygen -o "$HOME/Library/Application Support/sops/age/keys.txt" ```bash sops --encrypt --in-place .env.development.enc -sops --encrypt --in-place .env.production.enc ``` ## Editing encrypted files