From d91fd40cd26b1560daaf2b3b320273f312dc216d Mon Sep 17 00:00:00 2001 From: Deeman Date: Mon, 23 Feb 2026 17:04:17 +0100 Subject: [PATCH] feat: decrypt sops secrets in deploy.sh before docker compose MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reads age key from /opt/padelnomics/age-key.txt (overridable via SOPS_AGE_KEY_FILE env var). Decrypts .env.prod.sops → .env with chmod 600. Co-Authored-By: Claude Opus 4.6 --- deploy.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deploy.sh b/deploy.sh index a82777f..74497c5 100755 --- a/deploy.sh +++ b/deploy.sh @@ -1,6 +1,11 @@ #!/usr/bin/env bash set -euo pipefail +# ── Decrypt secrets ─────────────────────────────────────── +export SOPS_AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-/opt/padelnomics/age-key.txt}" +sops --input-type dotenv --output-type dotenv -d .env.prod.sops > .env +chmod 600 .env + COMPOSE="docker compose -f docker-compose.prod.yml" LIVE_FILE=".live-slot" ROUTER_CONF="router/default.conf"