Add unified secrets dotenv loader

2025-12-10 16:05:29 +02:00 · 2025-12-10 16:05:29 +02:00 · f3437f2f0e
commit f3437f2f0e
parent 434313c6e8
8 changed files with 63 additions and 7 deletions
--- a/.env.example
+++ b/.env.example
@ -5,5 +5,38 @@ NEXT_PUBLIC_API_BASE=https://api.lomavuokraus.fi
 # Runtime env flag used in UI
 APP_ENV=local

-# Secrets (override in Kubernetes Secret)
-APP_SECRET=change-me
+# Core app secrets (override in Kubernetes Secret)
+APP_URL=http://localhost:3000
+AUTH_SECRET=change-me
+DATABASE_URL=postgresql://user:password@host:5432/lomavuokraus?sslmode=disable
+
+# Mail (fill in SMTP_USER/SMTP_PASS)
+SMTP_HOST=smtp.lomavuokraus.fi
+SMTP_PORT=587
+SMTP_USER=
+SMTP_PASS=
+SMTP_FROM=noreply@lomavuokraus.fi
+SMTP_TLS=true
+SMTP_SSL=false
+SMTP_REJECT_UNAUTHORIZED=true
+DKIM_SELECTOR=mail2025
+DKIM_DOMAIN=lomavuokraus.fi
+DKIM_PRIVATE_KEY_PATH=creds/dkim/lomavuokraus.fi/mail2025.private
+
+# Feature flags / behaviour
+AUTO_APPROVE_LISTINGS=false
+
+# External APIs / infra
+OPENAI_API_KEY=
+OPENAI_TRANSLATIONS_KEY=
+HETZNER_API_TOKEN=
+HCLOUD_TOKEN=
+HETZNER_TOKEN=
+JOKER_DYNDNS_USERNAME=
+JOKER_DYNDNS_PASSWORD=
+REGISTRY_USERNAME=
+REGISTRY_PASSWORD=
+
+# Admin bootstrap (used by seed/reset scripts)
+ADMIN_EMAIL=
+ADMIN_INITIAL_PASSWORD=
--- a/PROGRESS.md
+++ b/PROGRESS.md
@ -22,7 +22,7 @@
  - Pushes (docker, ctr, skopeo from k3s node) fail: connection closed while uploading blobs (`http://registry.halla-aho.net:443/... use of closed network connection`). Suspect registry reverse-proxy dropping uploads/HTTPS handling.
  - Need to inspect registry host logs/config and retry push once fixed.
 - Secrets:
-  - `APP_SECRET` removed from `deploy/env.sh`; export it in shell before deploy.
+- `AUTH_SECRET` removed from `deploy/env.sh`; export it in shell (or via `scripts/load-secrets.sh`) before deploy.
  - `creds/` and `k3s.yaml` are git-ignored; contains joker DYNDNS creds and registry auth.

 # Lomavuokraus app progress (Nov 24)
--- a/deploy/deploy-prod.sh
+++ b/deploy/deploy-prod.sh
@ -12,5 +12,5 @@ export APP_ENV="production"
 export CLUSTER_ISSUER="$PROD_CLUSTER_ISSUER"
 export INGRESS_CLASS

-# optionally set APP_SECRET in the environment before running
+# optionally set AUTH_SECRET (and other secrets) in the environment before running
 bash deploy/deploy.sh
--- a/deploy/deploy-staging.sh
+++ b/deploy/deploy-staging.sh
@ -12,5 +12,5 @@ export APP_ENV="staging"
 export CLUSTER_ISSUER="$STAGING_CLUSTER_ISSUER"
 export INGRESS_CLASS

-# optionally set APP_SECRET in the environment before running
+# optionally set AUTH_SECRET (and other secrets) in the environment before running
 bash deploy/deploy.sh
--- a/deploy/deploy-test.sh
+++ b/deploy/deploy-test.sh
@ -14,5 +14,5 @@ export CLUSTER_ISSUER="${TEST_CLUSTER_ISSUER}"
 export INGRESS_CLASS
 export APP_REPLICAS="${APP_REPLICAS:-1}"

-# optionally set APP_SECRET and DATABASE_URL (pointing to lomavuokraus_testing) in the environment before running
+# optionally set AUTH_SECRET and DATABASE_URL (pointing to lomavuokraus_testing) in the environment before running
 bash deploy/deploy.sh
--- a/deploy/deploy.sh
+++ b/deploy/deploy.sh
@ -2,6 +2,10 @@
 set -euo pipefail

 cd "$(dirname "$0")/.."
+if [[ -f scripts/load-secrets.sh ]]; then
+  # Export secrets from creds/secrets.env (dotenv) when available.
+  source scripts/load-secrets.sh
+fi
 source deploy/env.sh

 if [[ ! -f deploy/.last-image ]]; then
--- a/docs/build.html
+++ b/docs/build.html
@ -36,6 +36,7 @@ flowchart LR
        <ul>
          <li>Source: Next.js app with TypeScript and Prisma.</li>
          <li>Env: <code>.env</code> (local), K8s Secret <code>lomavuokraus-web-secrets</code> in cluster.</li>
+          <li>Local secrets: <code>creds/secrets.env</code> (dotenv) loadable via <code>scripts/load-secrets.sh</code>.</li>
          <li>Prisma schema: <code>prisma/schema.prisma</code>, migrations in <code>prisma/migrations/</code>.</li>
        </ul>
      </section>
@ -84,7 +85,7 @@ flowchart LR
        <h2>Config & Env Vars</h2>
        <ul>
          <li>From ConfigMap (public): <code>NEXT_PUBLIC_SITE_URL</code>, <code>NEXT_PUBLIC_API_BASE</code>, <code>APP_ENV</code>.</li>
-          <li>From Secret: DB URL, AUTH_SECRET, SMTP, DKIM, etc.</li>
+          <li>From Secret: DB URL, AUTH_SECRET, SMTP, DKIM, etc. (materialize from <code>creds/secrets.env</code>).</li>
          <li>App env resolution: <code>process.env.*</code> in Next server code.</li>
        </ul>
      </section>
--- a/scripts/load-secrets.sh
+++ b/scripts/load-secrets.sh
@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# Shell helper to export secrets from a single dotenv file.
+# Usage: source scripts/load-secrets.sh
+
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+SECRETS_FILE="${SECRETS_FILE:-$ROOT_DIR/creds/secrets.env}"
+
+if [[ ! -f "$SECRETS_FILE" ]]; then
+  echo "secrets file not found: $SECRETS_FILE (skipping)" >&2
+  return 0 2>/dev/null || exit 0
+fi
+
+echo "Loading secrets from $SECRETS_FILE"
+set -a
+source "$SECRETS_FILE"
+set +a