fix: Encrypt secrets at rest with SOPS + age (#613)
- lib/env.sh: Two-tier secret loader (SOPS .env.enc > plaintext .env), remove ~/.netrc fallback - bin/disinto: Add age key generation and SOPS encryption during init, remove write_netrc(), add `disinto secrets` subcommand (edit/show/migrate), add sops+age to preflight warnings - .env.example: Annotate vars as [SECRET] or [CONFIG] - .gitignore: Allow .env.enc and .sops.yaml to be committed - BOOTSTRAP.md: Document SOPS + age setup, key backup, secret management - AGENTS.md: Update AD-005 and coding conventions for .env.enc Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
openhands
parent
28cdec3e7b
commit
5ccf09b28d
6 changed files with 210 additions and 66 deletions
50
.env.example
50
.env.example
|
|
@ -1,6 +1,12 @@
|
|||
# Disinto — Environment Configuration
|
||||
# Copy to .env and fill in your values.
|
||||
# NEVER commit .env to the repo.
|
||||
#
|
||||
# With SOPS + age installed, `disinto init` encrypts secrets into .env.enc
|
||||
# and removes plaintext .env. To migrate an existing .env: `disinto secrets migrate`
|
||||
#
|
||||
# Variables marked [SECRET] are credentials that grant access if leaked.
|
||||
# Variables marked [CONFIG] are non-sensitive and safe in plaintext.
|
||||
|
||||
# ── Per-project config ────────────────────────────────────────────────────
|
||||
# Project-specific settings (FORGE_REPO, PROJECT_REPO_ROOT, PRIMARY_BRANCH,
|
||||
|
|
@ -8,23 +14,12 @@
|
|||
# for an example. Do NOT set them here; they leak into every session.
|
||||
|
||||
# ── Forge (Forgejo) ─────────────────────────────────────────────────────
|
||||
# Base URL for the local Forgejo instance. disinto init provisions this.
|
||||
FORGE_URL=http://localhost:3000
|
||||
FORGE_URL=http://localhost:3000 # [CONFIG] local Forgejo instance
|
||||
|
||||
# ── Auth tokens ───────────────────────────────────────────────────────────
|
||||
# Dev-agent token: push branches, create PRs, merge PRs.
|
||||
# Use the dedicated bot account (e.g. dev-bot).
|
||||
# Branch protection: this account must be in the merge whitelist.
|
||||
FORGE_TOKEN=
|
||||
|
||||
# Review-agent token: post review comments and submit formal approvals.
|
||||
# Use the review bot account (e.g. review-bot).
|
||||
# Branch protection: this account must be in the approvals whitelist.
|
||||
FORGE_REVIEW_TOKEN=
|
||||
|
||||
# Comma-separated forge usernames to filter from issue comments.
|
||||
# The token owner is auto-detected; add extra bot accounts here if needed.
|
||||
FORGE_BOT_USERNAMES=
|
||||
FORGE_TOKEN= # [SECRET] dev-bot API token
|
||||
FORGE_REVIEW_TOKEN= # [SECRET] review-bot API token
|
||||
FORGE_BOT_USERNAMES= # [CONFIG] comma-separated bot usernames
|
||||
|
||||
# ── Backwards compatibility ───────────────────────────────────────────────
|
||||
# If CODEBERG_TOKEN is set but FORGE_TOKEN is not, env.sh falls back to
|
||||
|
|
@ -32,26 +27,25 @@ FORGE_BOT_USERNAMES=
|
|||
# CODEBERG_BOT_USERNAMES). No action needed for existing deployments.
|
||||
|
||||
# ── Woodpecker CI ─────────────────────────────────────────────────────────
|
||||
WOODPECKER_TOKEN=
|
||||
WOODPECKER_SERVER=http://localhost:8000
|
||||
WOODPECKER_TOKEN= # [SECRET] Woodpecker API token
|
||||
WOODPECKER_SERVER=http://localhost:8000 # [CONFIG] Woodpecker server URL
|
||||
# WOODPECKER_REPO_ID — now per-project, set in projects/*.toml [ci] section
|
||||
|
||||
# Woodpecker Postgres (for direct DB queries)
|
||||
WOODPECKER_DB_PASSWORD=
|
||||
WOODPECKER_DB_USER=woodpecker
|
||||
WOODPECKER_DB_HOST=127.0.0.1
|
||||
WOODPECKER_DB_NAME=woodpecker
|
||||
WOODPECKER_DB_PASSWORD= # [SECRET] Postgres password
|
||||
WOODPECKER_DB_USER=woodpecker # [CONFIG] Postgres user
|
||||
WOODPECKER_DB_HOST=127.0.0.1 # [CONFIG] Postgres host
|
||||
WOODPECKER_DB_NAME=woodpecker # [CONFIG] Postgres database name
|
||||
|
||||
# ── Matrix (optional — real-time notifications & escalation replies) ──────
|
||||
MATRIX_HOMESERVER=http://localhost:8008 # Dendrite/Synapse URL
|
||||
MATRIX_BOT_USER=@factory:your.server # bot's Matrix user ID
|
||||
MATRIX_TOKEN= # bot's access token
|
||||
MATRIX_ROOM_ID= # coordination room ID (!xxx:your.server)
|
||||
MATRIX_HOMESERVER=http://localhost:8008 # [CONFIG] Dendrite/Synapse URL
|
||||
MATRIX_BOT_USER=@factory:your.server # [CONFIG] bot's Matrix user ID
|
||||
MATRIX_TOKEN= # [SECRET] bot's access token
|
||||
MATRIX_ROOM_ID= # [CONFIG] coordination room ID
|
||||
|
||||
# ── Project-specific secrets ──────────────────────────────────────────────
|
||||
# Store all project secrets here so formulas reference env vars, never hardcode.
|
||||
# Example: BASE_RPC_URL for on-chain evolution scripts.
|
||||
BASE_RPC_URL=
|
||||
BASE_RPC_URL= # [SECRET] on-chain RPC endpoint
|
||||
|
||||
# ── Tuning ────────────────────────────────────────────────────────────────
|
||||
CLAUDE_TIMEOUT=7200 # max seconds per Claude invocation
|
||||
CLAUDE_TIMEOUT=7200 # [CONFIG] max seconds per Claude invocation
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue