feat(secrets): add SOPS+age secret management infrastructure

- .sops.yaml: creation rules matching .env.{dev,prod}.sops (dotenv format)
- .env.dev.sops: encrypted dev defaults (blank API keys, local paths)
- .env.prod.sops: encrypted prod template (placeholder values to fill in)
- Makefile: root Makefile with secrets-decrypt-dev/prod, secrets-edit-dev/prod, css-build/watch
- .gitignore: add age-key.txt

Dev workflow: make secrets-decrypt-dev → .env (repo root) → web app picks it up.
Server: deploy.sh will auto-decrypt .env.prod.sops on each deploy.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Deeman
2026-02-26 10:36:14 +01:00
parent 3ab0cd122f
commit 9d0e6843f4
5 changed files with 121 additions and 0 deletions

32
Makefile Normal file
View File

@@ -0,0 +1,32 @@
TAILWIND := web/bin/tailwindcss
web/bin/tailwindcss:
@mkdir -p web/bin
curl -sLo web/bin/tailwindcss https://github.com/tailwindlabs/tailwindcss/releases/latest/download/tailwindcss-linux-x64
chmod +x web/bin/tailwindcss
css-build: web/bin/tailwindcss
$(TAILWIND) -i web/src/beanflows/static/css/input.css -o web/src/beanflows/static/css/output.css --minify
css-watch: web/bin/tailwindcss
$(TAILWIND) -i web/src/beanflows/static/css/input.css -o web/src/beanflows/static/css/output.css --watch
# -- Secrets (SOPS + age) --
# .env.*.sops files use dotenv format but sops can't infer from the extension,
# so we pass --input-type / --output-type explicitly.
SOPS_DOTENV := sops --input-type dotenv --output-type dotenv
secrets-decrypt-dev:
$(SOPS_DOTENV) --decrypt .env.dev.sops > .env
secrets-decrypt-prod:
$(SOPS_DOTENV) --decrypt .env.prod.sops > .env
secrets-edit-dev:
$(SOPS_DOTENV) .env.dev.sops
secrets-edit-prod:
$(SOPS_DOTENV) .env.prod.sops
.PHONY: css-build css-watch secrets-decrypt-dev secrets-decrypt-prod secrets-edit-dev secrets-edit-prod