feat(secrets): add SOPS+age secret management infrastructure

- .sops.yaml: creation rules matching .env.{dev,prod}.sops (dotenv format) - .env.dev.sops: encrypted dev defaults (blank API keys, local paths) - .env.prod.sops: encrypted prod template (placeholder values to fill in) - Makefile: root Makefile with secrets-decrypt-dev/prod, secrets-edit-dev/prod, css-build/watch - .gitignore: add age-key.txt Dev workflow: make secrets-decrypt-dev → .env (repo root) → web app picks it up. Server: deploy.sh will auto-decrypt .env.prod.sops on each deploy. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 10:36:14 +01:00
parent 3ab0cd122f
commit 9d0e6843f4
5 changed files with 121 additions and 0 deletions
--- a/32
+++ b/32
@@ -0,0 +1,32 @@
+TAILWIND := web/bin/tailwindcss
+
+web/bin/tailwindcss:
+	@mkdir -p web/bin
+	curl -sLo web/bin/tailwindcss https://github.com/tailwindlabs/tailwindcss/releases/latest/download/tailwindcss-linux-x64
+	chmod +x web/bin/tailwindcss
+
+css-build: web/bin/tailwindcss
+	$(TAILWIND) -i web/src/beanflows/static/css/input.css -o web/src/beanflows/static/css/output.css --minify
+
+css-watch: web/bin/tailwindcss
+	$(TAILWIND) -i web/src/beanflows/static/css/input.css -o web/src/beanflows/static/css/output.css --watch
+
+# -- Secrets (SOPS + age) --
+# .env.*.sops files use dotenv format but sops can't infer from the extension,
+# so we pass --input-type / --output-type explicitly.
+
+SOPS_DOTENV := sops --input-type dotenv --output-type dotenv
+
+secrets-decrypt-dev:
+	$(SOPS_DOTENV) --decrypt .env.dev.sops > .env
+
+secrets-decrypt-prod:
+	$(SOPS_DOTENV) --decrypt .env.prod.sops > .env
+
+secrets-edit-dev:
+	$(SOPS_DOTENV) .env.dev.sops
+
+secrets-edit-prod:
+	$(SOPS_DOTENV) .env.prod.sops
+
+.PHONY: css-build css-watch secrets-decrypt-dev secrets-decrypt-prod secrets-edit-dev secrets-edit-prod