From fcf66104cbc6be3e69069910108650ac3bcaae3a Mon Sep 17 00:00:00 2001
From: Deeman <hendriknote@gmail.com>
Date: Mon, 23 Feb 2026 17:15:22 +0100
Subject: [PATCH] feat: install sops + age in setup_server.sh

Installs age and sops binaries, generates an age keypair at
/opt/padelnomics/age-key.txt, and prints the public key in next
steps so it can be added to .sops.yaml.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 infra/setup_server.sh | 50 +++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 48 insertions(+), 2 deletions(-)

diff --git a/infra/setup_server.sh b/infra/setup_server.sh
index 20417b7..8c7ed79 100644
--- a/infra/setup_server.sh
+++ b/infra/setup_server.sh
@@ -38,6 +38,46 @@ else
     echo "Deploy key already exists, skipping"
 fi
 
+# Install sops + age (encrypted secrets)
+AGE_KEY_FILE="$APP_DIR/age-key.txt"
+ARCH=$(uname -m)
+case "$ARCH" in
+    x86_64)  ARCH_SOPS="amd64"; ARCH_AGE="amd64" ;;
+    aarch64) ARCH_SOPS="arm64"; ARCH_AGE="arm64" ;;
+    *) echo "Unsupported architecture: $ARCH"; exit 1 ;;
+esac
+
+if ! command -v age &>/dev/null; then
+    echo "Installing age..."
+    AGE_VERSION="v1.3.1"
+    curl -fsSL "https://dl.filippo.io/age/${AGE_VERSION}?for=linux/${ARCH_AGE}" -o /tmp/age.tar.gz
+    tar -xzf /tmp/age.tar.gz -C /usr/local/bin --strip-components=1 age/age age/age-keygen
+    chmod +x /usr/local/bin/age /usr/local/bin/age-keygen
+    rm /tmp/age.tar.gz
+    echo "Installed age $(age --version)"
+else
+    echo "age already installed, skipping"
+fi
+
+if ! command -v sops &>/dev/null; then
+    echo "Installing sops..."
+    SOPS_VERSION="v3.12.1"
+    curl -fsSL "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.${ARCH_SOPS}" -o /usr/local/bin/sops
+    chmod +x /usr/local/bin/sops
+    echo "Installed sops $(sops --version)"
+else
+    echo "sops already installed, skipping"
+fi
+
+# Generate age keypair for this server (used by deploy.sh to decrypt secrets)
+if [ ! -f "$AGE_KEY_FILE" ]; then
+    age-keygen -o "$AGE_KEY_FILE" 2>&1
+    chmod 600 "$AGE_KEY_FILE"
+    echo "Generated age key: $AGE_KEY_FILE"
+else
+    echo "Age key already exists: $AGE_KEY_FILE"
+fi
+
 # Install rclone (landing zone backup to R2)
 if ! command -v rclone &>/dev/null; then
     echo "Installing rclone..."
@@ -70,8 +110,14 @@ echo "1. Add this deploy key to GitLab (Settings → Repository → Deploy Keys,
 echo ""
 cat "$KEY_PATH.pub"
 echo ""
-echo "2. Clone the repo:"
+echo "2. Add this server's age public key to .sops.yaml (comma-separated with existing keys):"
+echo ""
+grep "public key:" "$AGE_KEY_FILE" | awk '{print $NF}'
+echo ""
+echo "   Then re-encrypt prod secrets: sops updatekeys .env.prod.sops"
+echo ""
+echo "3. Clone the repo:"
 echo "   git clone git@gitlab.com:YOUR_USER/padelnomics.git $APP_DIR"
 echo ""
-echo "3. Deploy:"
+echo "4. Deploy:"
 echo "   cd $APP_DIR && bash deploy.sh"