e04efa1cb1
Resolves #20 Changes: - Add hcloud_token to secrets/shared.sops.yaml (encrypted with Age) - Create scripts/load-secrets-env.sh to automatically load token from SOPS - Update all management scripts to auto-load token if not set - Remove plaintext tokens from tofu/terraform.tfvars - Update documentation in README.md, scripts/README.md, and SECURITY-NOTE-tokens.md Benefits: ✅ Token encrypted at rest ✅ Can be safely backed up to cloud storage ✅ Consistent with other secrets management ✅ Automatic loading - no manual token management needed 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| ssh | ||
| .gitignore | ||
| README.md | ||
Age Encryption Keys
⚠️ CRITICAL: This directory contains encryption keys that are NOT committed to Git.
Key Files
age-key.txt- Age private key for SOPS encryption (GITIGNORED)
Backup Checklist
Before proceeding with any infrastructure work, ensure you have:
- Copied
age-key.txtto password manager - Created offline backup (printed or encrypted USB)
- Verified backup can decrypt secrets successfully
Key Recovery
If you lose access to age-key.txt:
- Check password manager for backup
- Check offline backups (printed copy, USB drive)
- If no backup exists: Secrets are PERMANENTLY LOST
- You will need to regenerate all secrets
- Re-encrypt all
.sops.yamlfiles - Update all services with new credentials
Generating a New Key
Only do this if you've lost the original key or need to rotate for security:
# Generate new Age key
age-keygen -o age-key.txt
# Extract public key
grep "public key:" age-key.txt
# Update .sops.yaml in repository root with new public key
# Re-encrypt all secrets
cd ..
for file in secrets/**/*.sops.yaml; do
SOPS_AGE_KEY_FILE=keys/age-key.txt sops updatekeys -y "$file"
done
Security Notes
- This directory is in
.gitignore - Keys should never be shared via email, Slack, or unencrypted channels
- Always use secure methods for key distribution (password manager, encrypted channels)