diff --git a/Makefile b/Makefile index 2e11d36..2de2240 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,8 @@ SOPS_DOTENV := sops --input-type dotenv --output-type dotenv .PHONY: help dev init-landing-seeds css-build css-watch \ secrets-decrypt-dev secrets-decrypt-prod \ secrets-edit-dev secrets-edit-prod \ - secrets-encrypt-dev secrets-encrypt-prod + secrets-encrypt-dev secrets-encrypt-prod \ + secrets-updatekeys-prod help: @echo "Available targets:" @@ -19,6 +20,7 @@ help: @echo " secrets-edit-prod Edit .env.prod.sops in \$$EDITOR" @echo " secrets-encrypt-dev Encrypt .env (plaintext) → .env.dev.sops" @echo " secrets-encrypt-prod Encrypt .env (plaintext) → .env.prod.sops" + @echo " secrets-updatekeys-prod Re-encrypt .env.prod.sops for all keys in .sops.yaml" # ── Dev environment ─────────────────────────────────────────────────────────── @@ -73,3 +75,6 @@ secrets-encrypt-dev: secrets-encrypt-prod: $(SOPS_DOTENV) --encrypt --in-place .env.prod.sops @echo "Encrypted .env.prod.sops (commit this file)" + +secrets-updatekeys-prod: + sops updatekeys --input-type dotenv .env.prod.sops diff --git a/infra/setup_server.sh b/infra/setup_server.sh index d34865d..f265bc4 100644 --- a/infra/setup_server.sh +++ b/infra/setup_server.sh @@ -172,7 +172,7 @@ echo " 2. Add the server age key to .sops.yaml (comma-separated):" echo " age: ,${AGE_PUB}" echo "" echo " 3. Re-encrypt and push:" -echo " sops updatekeys .env.prod.sops" +echo " make secrets-updatekeys-prod" echo " git add .sops.yaml .env.prod.sops" echo " git commit -m 'chore: add server age key'" echo " git push"