thalla/lomavuokraus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add unified secrets dotenv loader

Browse source
This commit is contained in:
Tero Halla-aho 2025-12-10 16:05:29 +02:00
parent 434313c6e8
commit f3437f2f0e
8 changed files with 63 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
.env.example
View file

@ -5,5 +5,38 @@ NEXT_PUBLIC_API_BASE=https://api.lomavuokraus.fi
# Runtime env flag used in UI # Runtime env flag used in UI
APP_ENV=local APP_ENV=local
# Secrets (override in Kubernetes Secret) # Core app secrets (override in Kubernetes Secret)
APP_SECRET=change-me APP_URL=http://localhost:3000
AUTH_SECRET=change-me
DATABASE_URL=postgresql://user:password@host:5432/lomavuokraus?sslmode=disable
# Mail (fill in SMTP_USER/SMTP_PASS)
SMTP_HOST=smtp.lomavuokraus.fi
SMTP_PORT=587
SMTP_USER=
SMTP_PASS=
SMTP_FROM=noreply@lomavuokraus.fi
SMTP_TLS=true
SMTP_SSL=false
SMTP_REJECT_UNAUTHORIZED=true
DKIM_SELECTOR=mail2025
DKIM_DOMAIN=lomavuokraus.fi
DKIM_PRIVATE_KEY_PATH=creds/dkim/lomavuokraus.fi/mail2025.private
# Feature flags / behaviour
AUTO_APPROVE_LISTINGS=false
# External APIs / infra
OPENAI_API_KEY=
OPENAI_TRANSLATIONS_KEY=
HETZNER_API_TOKEN=
HCLOUD_TOKEN=
HETZNER_TOKEN=
JOKER_DYNDNS_USERNAME=
JOKER_DYNDNS_PASSWORD=
REGISTRY_USERNAME=
REGISTRY_PASSWORD=
# Admin bootstrap (used by seed/reset scripts)
ADMIN_EMAIL=
ADMIN_INITIAL_PASSWORD=

2
PROGRESS.md
View file

@ -22,7 +22,7 @@
- Pushes (docker, ctr, skopeo from k3s node) fail: connection closed while uploading blobs (`http://registry.halla-aho.net:443/... use of closed network connection`). Suspect registry reverse-proxy dropping uploads/HTTPS handling. - Pushes (docker, ctr, skopeo from k3s node) fail: connection closed while uploading blobs (`http://registry.halla-aho.net:443/... use of closed network connection`). Suspect registry reverse-proxy dropping uploads/HTTPS handling.
- Need to inspect registry host logs/config and retry push once fixed. - Need to inspect registry host logs/config and retry push once fixed.
- Secrets: - Secrets:
- `APP_SECRET` removed from `deploy/env.sh`; export it in shell before deploy. - `AUTH_SECRET` removed from `deploy/env.sh`; export it in shell (or via `scripts/load-secrets.sh`) before deploy.
- `creds/` and `k3s.yaml` are git-ignored; contains joker DYNDNS creds and registry auth. - `creds/` and `k3s.yaml` are git-ignored; contains joker DYNDNS creds and registry auth.
# Lomavuokraus app progress (Nov 24) # Lomavuokraus app progress (Nov 24)

2
deploy/deploy-prod.sh
View file

@ -12,5 +12,5 @@ export APP_ENV="production"
export CLUSTER_ISSUER="$PROD_CLUSTER_ISSUER" export CLUSTER_ISSUER="$PROD_CLUSTER_ISSUER"
export INGRESS_CLASS export INGRESS_CLASS
# optionally set APP_SECRET in the environment before running # optionally set AUTH_SECRET (and other secrets) in the environment before running
bash deploy/deploy.sh bash deploy/deploy.sh

2
deploy/deploy-staging.sh
View file

@ -12,5 +12,5 @@ export APP_ENV="staging"
export CLUSTER_ISSUER="$STAGING_CLUSTER_ISSUER" export CLUSTER_ISSUER="$STAGING_CLUSTER_ISSUER"
export INGRESS_CLASS export INGRESS_CLASS
# optionally set APP_SECRET in the environment before running # optionally set AUTH_SECRET (and other secrets) in the environment before running
bash deploy/deploy.sh bash deploy/deploy.sh

2
deploy/deploy-test.sh
View file

@ -14,5 +14,5 @@ export CLUSTER_ISSUER="${TEST_CLUSTER_ISSUER}"
export INGRESS_CLASS export INGRESS_CLASS
export APP_REPLICAS="${APP_REPLICAS:-1}" export APP_REPLICAS="${APP_REPLICAS:-1}"
# optionally set APP_SECRET and DATABASE_URL (pointing to lomavuokraus_testing) in the environment before running # optionally set AUTH_SECRET and DATABASE_URL (pointing to lomavuokraus_testing) in the environment before running
bash deploy/deploy.sh bash deploy/deploy.sh

4
deploy/deploy.sh
View file

@ -2,6 +2,10 @@
set -euo pipefail set -euo pipefail
cd "$(dirname "$0")/.." cd "$(dirname "$0")/.."
if [[ -f scripts/load-secrets.sh ]]; then
# Export secrets from creds/secrets.env (dotenv) when available.
source scripts/load-secrets.sh
fi
source deploy/env.sh source deploy/env.sh
if [[ ! -f deploy/.last-image ]]; then if [[ ! -f deploy/.last-image ]]; then

3
docs/build.html
View file

@ -36,6 +36,7 @@ flowchart LR
<ul> <ul>
<li>Source: Next.js app with TypeScript and Prisma.</li> <li>Source: Next.js app with TypeScript and Prisma.</li>
<li>Env: <code>.env</code> (local), K8s Secret <code>lomavuokraus-web-secrets</code> in cluster.</li> <li>Env: <code>.env</code> (local), K8s Secret <code>lomavuokraus-web-secrets</code> in cluster.</li>
<li>Local secrets: <code>creds/secrets.env</code> (dotenv) loadable via <code>scripts/load-secrets.sh</code>.</li>
<li>Prisma schema: <code>prisma/schema.prisma</code>, migrations in <code>prisma/migrations/</code>.</li> <li>Prisma schema: <code>prisma/schema.prisma</code>, migrations in <code>prisma/migrations/</code>.</li>
</ul> </ul>
</section> </section>
@ -84,7 +85,7 @@ flowchart LR
<h2>Config & Env Vars</h2> <h2>Config & Env Vars</h2>
<ul> <ul>
<li>From ConfigMap (public): <code>NEXT_PUBLIC_SITE_URL</code>, <code>NEXT_PUBLIC_API_BASE</code>, <code>APP_ENV</code>.</li> <li>From ConfigMap (public): <code>NEXT_PUBLIC_SITE_URL</code>, <code>NEXT_PUBLIC_API_BASE</code>, <code>APP_ENV</code>.</li>
<li>From Secret: DB URL, AUTH_SECRET, SMTP, DKIM, etc.</li> <li>From Secret: DB URL, AUTH_SECRET, SMTP, DKIM, etc. (materialize from <code>creds/secrets.env</code>).</li>
<li>App env resolution: <code>process.env.*</code> in Next server code.</li> <li>App env resolution: <code>process.env.*</code> in Next server code.</li>
</ul> </ul>
</section> </section>

18
scripts/load-secrets.sh Normal file
View file

@ -0,0 +1,18 @@
#!/usr/bin/env bash
# Shell helper to export secrets from a single dotenv file.
# Usage: source scripts/load-secrets.sh
set -euo pipefail
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
SECRETS_FILE="${SECRETS_FILE:-$ROOT_DIR/creds/secrets.env}"
if [[ ! -f "$SECRETS_FILE" ]]; then
echo "secrets file not found: $SECRETS_FILE (skipping)" >&2
return 0 2>/dev/null || exit 0
fi
echo "Loading secrets from $SECRETS_FILE"
set -a
source "$SECRETS_FILE"
set +a