chore: Clean up client secrets directory
- Remove temporary/unencrypted files (dev-temp.yaml, *.tmp) - Rename test.sops.yaml to template.sops.yaml for clarity - Add comprehensive README.md documenting secrets management - Improve security by removing plaintext credentials exposure Files removed: - dev-temp.yaml (contained plaintext credentials - security risk) - dev.sops.yaml.tmp (empty temp file) - test-temp.sops.yaml (empty temp file) Files renamed: - test.sops.yaml → template.sops.yaml (reference template, not deployed) Files added: - README.md (complete documentation for secrets management) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Pieter
parent
dc14b12688
commit
e15fe78488
3 changed files with 122 additions and 0 deletions
122
secrets/clients/README.md
Normal file
122
secrets/clients/README.md
Normal file
|
|
@ -0,0 +1,122 @@
|
|||
# Client Secrets Directory
|
||||
|
||||
This directory contains SOPS-encrypted secrets files for each deployed client.
|
||||
|
||||
## Files
|
||||
|
||||
### Active Clients
|
||||
|
||||
- **`dev.sops.yaml`** - Development/canary server secrets
|
||||
- Status: Deployed
|
||||
- Purpose: Testing and canary deployments
|
||||
|
||||
### Templates
|
||||
|
||||
- **`template.sops.yaml`** - Template for creating new client secrets
|
||||
- Status: Reference only (not deployed)
|
||||
- Purpose: Copy this file when onboarding new clients
|
||||
|
||||
## Creating Secrets for a New Client
|
||||
|
||||
```bash
|
||||
# 1. Copy the template
|
||||
cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml
|
||||
|
||||
# 2. Edit with SOPS
|
||||
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
|
||||
sops secrets/clients/newclient.sops.yaml
|
||||
|
||||
# 3. Update all fields:
|
||||
# - client_name: newclient
|
||||
# - client_domain: newclient.vrije.cloud
|
||||
# - authentik_domain: auth.newclient.vrije.cloud
|
||||
# - nextcloud_domain: nextcloud.newclient.vrije.cloud
|
||||
# - REGENERATE all passwords and tokens (never reuse!)
|
||||
|
||||
# 4. Deploy the client
|
||||
./scripts/deploy-client.sh newclient
|
||||
```
|
||||
|
||||
## Important Security Notes
|
||||
|
||||
⚠️ **Never commit plaintext secrets!**
|
||||
|
||||
- Only `*.sops.yaml` files should be committed
|
||||
- Temporary files (`*-temp.yaml`, `*.tmp`) are gitignored
|
||||
- Always verify secrets are encrypted: `file secrets/clients/*.sops.yaml`
|
||||
|
||||
⚠️ **Always regenerate secrets for new clients!**
|
||||
|
||||
- Never copy passwords between clients
|
||||
- Use strong random passwords (32+ characters)
|
||||
- Each client must have unique credentials
|
||||
|
||||
## File Naming Convention
|
||||
|
||||
- **Production clients**: `clientname.sops.yaml`
|
||||
- **Development/test**: `dev.sops.yaml`
|
||||
- **Templates**: `template.sops.yaml`
|
||||
- **Never commit**: `*-temp.yaml`, `*.tmp`, `*_plaintext.yaml`
|
||||
|
||||
## Viewing Secrets
|
||||
|
||||
```bash
|
||||
# View encrypted file (shows SOPS metadata)
|
||||
cat secrets/clients/dev.sops.yaml
|
||||
|
||||
# Decrypt and view (requires age key)
|
||||
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
|
||||
sops -d secrets/clients/dev.sops.yaml
|
||||
```
|
||||
|
||||
## Required Secrets per Client
|
||||
|
||||
Each client secrets file must contain:
|
||||
|
||||
### Authentik (Identity Provider)
|
||||
- `authentik_db_password` - PostgreSQL database password
|
||||
- `authentik_secret_key` - Django secret key
|
||||
- `authentik_bootstrap_password` - Initial admin (akadmin) password
|
||||
- `authentik_bootstrap_token` - API token for automation
|
||||
- `authentik_bootstrap_email` - Admin email address
|
||||
|
||||
### Nextcloud (File Storage)
|
||||
- `nextcloud_admin_user` - Admin username (usually "admin")
|
||||
- `nextcloud_admin_password` - Admin password
|
||||
- `nextcloud_db_password` - MariaDB database password
|
||||
- `nextcloud_db_root_password` - MariaDB root password
|
||||
- `redis_password` - Redis cache password
|
||||
|
||||
### Optional
|
||||
- `collabora_admin_password` - Collabora Online admin password (if using)
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### "No such file or directory: age-key.txt"
|
||||
```bash
|
||||
# Ensure SOPS_AGE_KEY_FILE is set correctly
|
||||
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
|
||||
# Or use absolute path
|
||||
export SOPS_AGE_KEY_FILE="/full/path/to/infrastructure/keys/age-key.txt"
|
||||
```
|
||||
|
||||
### "Failed to decrypt"
|
||||
- Verify you have the correct age private key
|
||||
- Check that `.sops.yaml` references the correct age public key
|
||||
- Ensure the file was encrypted with the same age key
|
||||
|
||||
### "File contains plaintext secrets"
|
||||
```bash
|
||||
# Check if file is properly encrypted
|
||||
file secrets/clients/dev.sops.yaml
|
||||
# Should show: ASCII text (with SOPS encryption metadata)
|
||||
|
||||
# Re-encrypt if needed
|
||||
sops -e -i secrets/clients/dev.sops.yaml
|
||||
```
|
||||
|
||||
## See Also
|
||||
|
||||
- [../README.md](../../secrets/README.md) - Secrets management overview
|
||||
- [../../docs/architecture-decisions.md](../../docs/architecture-decisions.md) - SOPS decision rationale
|
||||
- [SOPS Documentation](https://github.com/getsops/sops)
|
||||
Loading…
Add table
Reference in a new issue