chore: Clean up client secrets directory
- Remove temporary/unencrypted files (dev-temp.yaml, *.tmp) - Rename test.sops.yaml to template.sops.yaml for clarity - Add comprehensive README.md documenting secrets management - Improve security by removing plaintext credentials exposure Files removed: - dev-temp.yaml (contained plaintext credentials - security risk) - dev.sops.yaml.tmp (empty temp file) - test-temp.sops.yaml (empty temp file) Files renamed: - test.sops.yaml → template.sops.yaml (reference template, not deployed) Files added: - README.md (complete documentation for secrets management) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Pieter
parent
dc14b12688
commit
e15fe78488
3 changed files with 122 additions and 0 deletions
122
secrets/clients/README.md
Normal file
122
secrets/clients/README.md
Normal file
|
|
@ -0,0 +1,122 @@
|
||||||
|
# Client Secrets Directory
|
||||||
|
|
||||||
|
This directory contains SOPS-encrypted secrets files for each deployed client.
|
||||||
|
|
||||||
|
## Files
|
||||||
|
|
||||||
|
### Active Clients
|
||||||
|
|
||||||
|
- **`dev.sops.yaml`** - Development/canary server secrets
|
||||||
|
- Status: Deployed
|
||||||
|
- Purpose: Testing and canary deployments
|
||||||
|
|
||||||
|
### Templates
|
||||||
|
|
||||||
|
- **`template.sops.yaml`** - Template for creating new client secrets
|
||||||
|
- Status: Reference only (not deployed)
|
||||||
|
- Purpose: Copy this file when onboarding new clients
|
||||||
|
|
||||||
|
## Creating Secrets for a New Client
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# 1. Copy the template
|
||||||
|
cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml
|
||||||
|
|
||||||
|
# 2. Edit with SOPS
|
||||||
|
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
|
||||||
|
sops secrets/clients/newclient.sops.yaml
|
||||||
|
|
||||||
|
# 3. Update all fields:
|
||||||
|
# - client_name: newclient
|
||||||
|
# - client_domain: newclient.vrije.cloud
|
||||||
|
# - authentik_domain: auth.newclient.vrije.cloud
|
||||||
|
# - nextcloud_domain: nextcloud.newclient.vrije.cloud
|
||||||
|
# - REGENERATE all passwords and tokens (never reuse!)
|
||||||
|
|
||||||
|
# 4. Deploy the client
|
||||||
|
./scripts/deploy-client.sh newclient
|
||||||
|
```
|
||||||
|
|
||||||
|
## Important Security Notes
|
||||||
|
|
||||||
|
⚠️ **Never commit plaintext secrets!**
|
||||||
|
|
||||||
|
- Only `*.sops.yaml` files should be committed
|
||||||
|
- Temporary files (`*-temp.yaml`, `*.tmp`) are gitignored
|
||||||
|
- Always verify secrets are encrypted: `file secrets/clients/*.sops.yaml`
|
||||||
|
|
||||||
|
⚠️ **Always regenerate secrets for new clients!**
|
||||||
|
|
||||||
|
- Never copy passwords between clients
|
||||||
|
- Use strong random passwords (32+ characters)
|
||||||
|
- Each client must have unique credentials
|
||||||
|
|
||||||
|
## File Naming Convention
|
||||||
|
|
||||||
|
- **Production clients**: `clientname.sops.yaml`
|
||||||
|
- **Development/test**: `dev.sops.yaml`
|
||||||
|
- **Templates**: `template.sops.yaml`
|
||||||
|
- **Never commit**: `*-temp.yaml`, `*.tmp`, `*_plaintext.yaml`
|
||||||
|
|
||||||
|
## Viewing Secrets
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# View encrypted file (shows SOPS metadata)
|
||||||
|
cat secrets/clients/dev.sops.yaml
|
||||||
|
|
||||||
|
# Decrypt and view (requires age key)
|
||||||
|
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
|
||||||
|
sops -d secrets/clients/dev.sops.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
## Required Secrets per Client
|
||||||
|
|
||||||
|
Each client secrets file must contain:
|
||||||
|
|
||||||
|
### Authentik (Identity Provider)
|
||||||
|
- `authentik_db_password` - PostgreSQL database password
|
||||||
|
- `authentik_secret_key` - Django secret key
|
||||||
|
- `authentik_bootstrap_password` - Initial admin (akadmin) password
|
||||||
|
- `authentik_bootstrap_token` - API token for automation
|
||||||
|
- `authentik_bootstrap_email` - Admin email address
|
||||||
|
|
||||||
|
### Nextcloud (File Storage)
|
||||||
|
- `nextcloud_admin_user` - Admin username (usually "admin")
|
||||||
|
- `nextcloud_admin_password` - Admin password
|
||||||
|
- `nextcloud_db_password` - MariaDB database password
|
||||||
|
- `nextcloud_db_root_password` - MariaDB root password
|
||||||
|
- `redis_password` - Redis cache password
|
||||||
|
|
||||||
|
### Optional
|
||||||
|
- `collabora_admin_password` - Collabora Online admin password (if using)
|
||||||
|
|
||||||
|
## Troubleshooting
|
||||||
|
|
||||||
|
### "No such file or directory: age-key.txt"
|
||||||
|
```bash
|
||||||
|
# Ensure SOPS_AGE_KEY_FILE is set correctly
|
||||||
|
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
|
||||||
|
# Or use absolute path
|
||||||
|
export SOPS_AGE_KEY_FILE="/full/path/to/infrastructure/keys/age-key.txt"
|
||||||
|
```
|
||||||
|
|
||||||
|
### "Failed to decrypt"
|
||||||
|
- Verify you have the correct age private key
|
||||||
|
- Check that `.sops.yaml` references the correct age public key
|
||||||
|
- Ensure the file was encrypted with the same age key
|
||||||
|
|
||||||
|
### "File contains plaintext secrets"
|
||||||
|
```bash
|
||||||
|
# Check if file is properly encrypted
|
||||||
|
file secrets/clients/dev.sops.yaml
|
||||||
|
# Should show: ASCII text (with SOPS encryption metadata)
|
||||||
|
|
||||||
|
# Re-encrypt if needed
|
||||||
|
sops -e -i secrets/clients/dev.sops.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
## See Also
|
||||||
|
|
||||||
|
- [../README.md](../../secrets/README.md) - Secrets management overview
|
||||||
|
- [../../docs/architecture-decisions.md](../../docs/architecture-decisions.md) - SOPS decision rationale
|
||||||
|
- [SOPS Documentation](https://github.com/getsops/sops)
|
||||||
Loading…
Add table
Reference in a new issue