Post-Tyranny-Tech-Infrastructure/secrets/clients/README.md

# Client Secrets Directory

This directory contains SOPS-encrypted secrets files for each deployed client.

## Files

### Active Clients

- **`dev.sops.yaml`** - Development/canary server secrets
  - Status: Deployed
  - Purpose: Testing and canary deployments

### Templates

- **`template.sops.yaml`** - Template for creating new client secrets
  - Status: Reference only (not deployed)
  - Purpose: Copy this file when onboarding new clients

## Creating Secrets for a New Client

```bash
# 1. Copy the template
cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml

# 2. Edit with SOPS
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
sops secrets/clients/newclient.sops.yaml

# 3. Update all fields:
#    - client_name: newclient
#    - client_domain: newclient.vrije.cloud
#    - authentik_domain: auth.newclient.vrije.cloud
#    - nextcloud_domain: nextcloud.newclient.vrije.cloud
#    - REGENERATE all passwords and tokens (never reuse!)

# 4. Deploy the client
./scripts/deploy-client.sh newclient
```

## Important Security Notes

⚠️ **Never commit plaintext secrets!**

- Only `*.sops.yaml` files should be committed
- Temporary files (`*-temp.yaml`, `*.tmp`) are gitignored
- Always verify secrets are encrypted: `file secrets/clients/*.sops.yaml`

⚠️ **Always regenerate secrets for new clients!**

- Never copy passwords between clients
- Use strong random passwords (32+ characters)
- Each client must have unique credentials

## File Naming Convention

- **Production clients**: `clientname.sops.yaml`
- **Development/test**: `dev.sops.yaml`
- **Templates**: `template.sops.yaml`
- **Never commit**: `*-temp.yaml`, `*.tmp`, `*_plaintext.yaml`

## Viewing Secrets

```bash
# View encrypted file (shows SOPS metadata)
cat secrets/clients/dev.sops.yaml

# Decrypt and view (requires age key)
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
sops -d secrets/clients/dev.sops.yaml
```

## Required Secrets per Client

Each client secrets file must contain:

### Authentik (Identity Provider)
- `authentik_db_password` - PostgreSQL database password
- `authentik_secret_key` - Django secret key
- `authentik_bootstrap_password` - Initial admin (akadmin) password
- `authentik_bootstrap_token` - API token for automation
- `authentik_bootstrap_email` - Admin email address

### Nextcloud (File Storage)
- `nextcloud_admin_user` - Admin username (usually "admin")
- `nextcloud_admin_password` - Admin password
- `nextcloud_db_password` - MariaDB database password
- `nextcloud_db_root_password` - MariaDB root password
- `redis_password` - Redis cache password

### Optional
- `collabora_admin_password` - Collabora Online admin password (if using)

## Troubleshooting

### "No such file or directory: age-key.txt"
```bash
# Ensure SOPS_AGE_KEY_FILE is set correctly
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
# Or use absolute path
export SOPS_AGE_KEY_FILE="/full/path/to/infrastructure/keys/age-key.txt"
```

### "Failed to decrypt"
- Verify you have the correct age private key
- Check that `.sops.yaml` references the correct age public key
- Ensure the file was encrypted with the same age key

### "File contains plaintext secrets"
```bash
# Check if file is properly encrypted
file secrets/clients/dev.sops.yaml
# Should show: ASCII text (with SOPS encryption metadata)

# Re-encrypt if needed
sops -e -i secrets/clients/dev.sops.yaml
```

## See Also

- [../README.md](../../secrets/README.md) - Secrets management overview
- [../../docs/architecture-decisions.md](../../docs/architecture-decisions.md) - SOPS decision rationale
- [SOPS Documentation](https://github.com/getsops/sops)