e04efa1cb1
Resolves #20 Changes: - Add hcloud_token to secrets/shared.sops.yaml (encrypted with Age) - Create scripts/load-secrets-env.sh to automatically load token from SOPS - Update all management scripts to auto-load token if not set - Remove plaintext tokens from tofu/terraform.tfvars - Update documentation in README.md, scripts/README.md, and SECURITY-NOTE-tokens.md Benefits: ✅ Token encrypted at rest ✅ Can be safely backed up to cloud storage ✅ Consistent with other secrets management ✅ Automatic loading - no manual token management needed 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| dev.sops.yaml | ||
| green.sops.yaml | ||
| README.md | ||
| template.sops.yaml | ||
Client Secrets Directory
This directory contains SOPS-encrypted secrets files for each deployed client.
Files
Active Clients
dev.sops.yaml- Development/canary server secrets- Status: Deployed
- Purpose: Testing and canary deployments
Templates
template.sops.yaml- Template for creating new client secrets- Status: Reference only (not deployed)
- Purpose: Copy this file when onboarding new clients
Creating Secrets for a New Client
# 1. Copy the template
cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml
# 2. Edit with SOPS
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
sops secrets/clients/newclient.sops.yaml
# 3. Update all fields:
# - client_name: newclient
# - client_domain: newclient.vrije.cloud
# - authentik_domain: auth.newclient.vrije.cloud
# - nextcloud_domain: nextcloud.newclient.vrije.cloud
# - REGENERATE all passwords and tokens (never reuse!)
# 4. Deploy the client
./scripts/deploy-client.sh newclient
Important Security Notes
⚠️ Never commit plaintext secrets!
- Only
*.sops.yamlfiles should be committed - Temporary files (
*-temp.yaml,*.tmp) are gitignored - Always verify secrets are encrypted:
file secrets/clients/*.sops.yaml
⚠️ Always regenerate secrets for new clients!
- Never copy passwords between clients
- Use strong random passwords (32+ characters)
- Each client must have unique credentials
File Naming Convention
- Production clients:
clientname.sops.yaml - Development/test:
dev.sops.yaml - Templates:
template.sops.yaml - Never commit:
*-temp.yaml,*.tmp,*_plaintext.yaml
Viewing Secrets
# View encrypted file (shows SOPS metadata)
cat secrets/clients/dev.sops.yaml
# Decrypt and view (requires age key)
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
sops -d secrets/clients/dev.sops.yaml
Required Secrets per Client
Each client secrets file must contain:
Authentik (Identity Provider)
authentik_db_password- PostgreSQL database passwordauthentik_secret_key- Django secret keyauthentik_bootstrap_password- Initial admin (akadmin) passwordauthentik_bootstrap_token- API token for automationauthentik_bootstrap_email- Admin email address
Nextcloud (File Storage)
nextcloud_admin_user- Admin username (usually "admin")nextcloud_admin_password- Admin passwordnextcloud_db_password- MariaDB database passwordnextcloud_db_root_password- MariaDB root passwordredis_password- Redis cache password
Optional
collabora_admin_password- Collabora Online admin password (if using)
Troubleshooting
"No such file or directory: age-key.txt"
# Ensure SOPS_AGE_KEY_FILE is set correctly
export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
# Or use absolute path
export SOPS_AGE_KEY_FILE="/full/path/to/infrastructure/keys/age-key.txt"
"Failed to decrypt"
- Verify you have the correct age private key
- Check that
.sops.yamlreferences the correct age public key - Ensure the file was encrypted with the same age key
"File contains plaintext secrets"
# Check if file is properly encrypted
file secrets/clients/dev.sops.yaml
# Should show: ASCII text (with SOPS encryption metadata)
# Re-encrypt if needed
sops -e -i secrets/clients/dev.sops.yaml
See Also
- ../README.md - Secrets management overview
- ../../docs/architecture-decisions.md - SOPS decision rationale
- SOPS Documentation