Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../secrets/clients/README.md
Pieter e15fe78488 chore: Clean up client secrets directory 
- Remove temporary/unencrypted files (dev-temp.yaml, *.tmp)
- Rename test.sops.yaml to template.sops.yaml for clarity
- Add comprehensive README.md documenting secrets management
- Improve security by removing plaintext credentials exposure

Files removed:
- dev-temp.yaml (contained plaintext credentials - security risk)
- dev.sops.yaml.tmp (empty temp file)
- test-temp.sops.yaml (empty temp file)

Files renamed:
- test.sops.yaml → template.sops.yaml (reference template, not deployed)

Files added:
- README.md (complete documentation for secrets management)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 19:32:06 +01:00

122 lines
3.5 KiB
Markdown
Raw Blame History

# Client Secrets Directory
This directory contains SOPS-encrypted secrets files for each deployed client.
## Files
### Active Clients
- **`dev.sops.yaml`** - Development/canary server secrets
- Status: Deployed
- Purpose: Testing and canary deployments
### Templates
- **`template.sops.yaml`** - Template for creating new client secrets
- Status: Reference only (not deployed)
- Purpose: Copy this file when onboarding new clients
## Creating Secrets for a New Client
```bash
# 1. Copy the template
cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml
# 2. Edit with SOPS
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
sops secrets/clients/newclient.sops.yaml
# 3. Update all fields:
# - client_name: newclient
# - client_domain: newclient.vrije.cloud
# - authentik_domain: auth.newclient.vrije.cloud
# - nextcloud_domain: nextcloud.newclient.vrije.cloud
# - REGENERATE all passwords and tokens (never reuse!)
# 4. Deploy the client
./scripts/deploy-client.sh newclient
```
## Important Security Notes
⚠️ **Never commit plaintext secrets!**
- Only `*.sops.yaml` files should be committed
- Temporary files (`*-temp.yaml`, `*.tmp`) are gitignored
- Always verify secrets are encrypted: `file secrets/clients/*.sops.yaml`
⚠️ **Always regenerate secrets for new clients!**
- Never copy passwords between clients
- Use strong random passwords (32+ characters)
- Each client must have unique credentials
## File Naming Convention
- **Production clients**: `clientname.sops.yaml`
- **Development/test**: `dev.sops.yaml`
- **Templates**: `template.sops.yaml`
- **Never commit**: `*-temp.yaml`, `*.tmp`, `*_plaintext.yaml`
## Viewing Secrets
```bash
# View encrypted file (shows SOPS metadata)
cat secrets/clients/dev.sops.yaml
# Decrypt and view (requires age key)
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
sops -d secrets/clients/dev.sops.yaml
```
## Required Secrets per Client
Each client secrets file must contain:
### Authentik (Identity Provider)
- `authentik_db_password` - PostgreSQL database password
- `authentik_secret_key` - Django secret key
- `authentik_bootstrap_password` - Initial admin (akadmin) password
- `authentik_bootstrap_token` - API token for automation
- `authentik_bootstrap_email` - Admin email address
### Nextcloud (File Storage)
- `nextcloud_admin_user` - Admin username (usually "admin")
- `nextcloud_admin_password` - Admin password
- `nextcloud_db_password` - MariaDB database password
- `nextcloud_db_root_password` - MariaDB root password
- `redis_password` - Redis cache password
### Optional
- `collabora_admin_password` - Collabora Online admin password (if using)
## Troubleshooting
### "No such file or directory: age-key.txt"
```bash
# Ensure SOPS_AGE_KEY_FILE is set correctly
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
# Or use absolute path
export SOPS_AGE_KEY_FILE="/full/path/to/infrastructure/keys/age-key.txt"
```
### "Failed to decrypt"
- Verify you have the correct age private key
- Check that `.sops.yaml` references the correct age public key
- Ensure the file was encrypted with the same age key
### "File contains plaintext secrets"
```bash
# Check if file is properly encrypted
file secrets/clients/dev.sops.yaml
# Should show: ASCII text (with SOPS encryption metadata)
# Re-encrypt if needed
sops -e -i secrets/clients/dev.sops.yaml
```
## See Also
- [../README.md](../../secrets/README.md) - Secrets management overview
- [../../docs/architecture-decisions.md](../../docs/architecture-decisions.md) - SOPS decision rationale
- [SOPS Documentation](https://github.com/getsops/sops)
Reference in a new issue View git blame Copy permalink