feat: decrypt sops secrets in deploy.sh before docker compose

Reads age key from /opt/padelnomics/age-key.txt (overridable via SOPS_AGE_KEY_FILE env var). Decrypts .env.prod.sops → .env with chmod 600. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 17:04:17 +01:00
parent 9dcf237f6f
commit d91fd40cd2
1 changed files with 5 additions and 0 deletions
--- a/deploy.sh
+++ b/deploy.sh
@@ -1,6 +1,11 @@
 #!/usr/bin/env bash
 set -euo pipefail

+# ── Decrypt secrets ───────────────────────────────────────
+export SOPS_AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-/opt/padelnomics/age-key.txt}"
+sops --input-type dotenv --output-type dotenv -d .env.prod.sops > .env
+chmod 600 .env
+
 COMPOSE="docker compose -f docker-compose.prod.yml"
 LIVE_FILE=".live-slot"
 ROUTER_CONF="router/default.conf"