azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 13:21:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
1e1ded73f5381cc940a585b67138bc9b0c24df63
admin/secrets/README.md
T
Oleksandr Bezdieniezhnykh c7b297de83
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
refactor: remove deploy.cmd and update Dockerfile for health checks 
- Deleted the deploy.cmd script as it was no longer needed.
- Updated Dockerfile to include curl for health checks and added a non-root user for improved security.
- Modified health check command to use curl for better reliability.
- Adjusted docker-compose.test.yml to reflect changes in health check configuration.
- Cleaned up appsettings.json and removed unused configuration properties.
- Removed Resource entity and related requests from the codebase as part of the architectural shift.
- Updated documentation to reflect the removal of hardware binding and related endpoints.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-13 08:47:21 +03:00

58 lines
2.6 KiB
Markdown
Raw Blame History

# `secrets/` — sops + age secret material
This folder holds **per-environment** runtime configuration for the Admin API.
| File | Tracked | Encrypted | Loaded by |
|------|---------|-----------|-----------|
| `.sops.yaml` | yes | n/a | sops itself (resolves recipients) |
| `staging.public.env` | yes | no | `scripts/_lib.sh``set -a; .` (loaded BEFORE the encrypted overlay) |
| `production.public.env` | yes | no | same |
| `staging.env` | yes (after first encryption) | **yes** (sops + age) | `scripts/deploy.sh` decrypts to a tempfile then sources it |
| `production.env` | yes (after first encryption) | **yes** (sops + age) | same |
| age private key | **never tracked** | n/a | lives at `/etc/azaion/age.key` on the deploy host (mode 0400) |
## First-time bootstrap on a fresh host
```bash
# 1. Install sops + age on the host
sudo apt-get install -y sops age
# 2. Generate the host's age keypair
sudo install -d -m 0700 /etc/azaion
sudo age-keygen -o /etc/azaion/age.key
sudo chmod 0400 /etc/azaion/age.key
sudo grep '^# public key:' /etc/azaion/age.key
# → copy the public key string
# 3. On a developer machine, replace the placeholder in `secrets/.sops.yaml`
# with the public key from step 2 (for the matching environment), then
# encrypt the env file:
# sops --encrypt --age <public-key> secrets/staging.env > secrets/staging.enc.tmp
# mv secrets/staging.enc.tmp secrets/staging.env
# Commit `.sops.yaml` and the encrypted file together.
# 4. Sanity-check on the host:
SOPS_AGE_KEY_FILE=/etc/azaion/age.key sops -d secrets/staging.env | head
```
## Rotation
See `_docs/04_deploy/environment_strategy.md` §3 for the per-secret rotation cadence and procedure.
## What goes where
- **Public env (staging.public.env / production.public.env)** — anything that is NOT a secret: hostname, port, container name, JWT issuer/audience, resource folder names. Reviewable in PRs.
- **Encrypted env (staging.env / production.env)** — DB connection strings (with passwords), `JwtConfig__Secret`, `REGISTRY_USER`, `REGISTRY_TOKEN`, anything else sensitive. NEVER readable in plain text outside the host.
## Schema (variables that MUST be in the encrypted file)
```
ASPNETCORE_ConnectionStrings__AzaionDb=Host=...;Port=4312;Database=azaion;Username=azaion_reader;Password=...
ASPNETCORE_ConnectionStrings__AzaionDbAdmin=Host=...;Port=4312;Database=azaion;Username=azaion_admin;Password=...
ASPNETCORE_JwtConfig__Secret=<>= 32 random bytes>
REGISTRY_USER=<registry account>
REGISTRY_TOKEN=<registry token>
```
The deploy script will fail-fast if any of the first three are missing once the container starts.
Reference in New Issue View Git Blame Copy Permalink