From 53883754b56693203107764e482d6e953c99c40e Mon Sep 17 00:00:00 2001 From: 13orlov <13orlov@gmail.com> Date: Sun, 31 Aug 2025 19:37:36 +0100 Subject: [PATCH] feat(security): Migrate to git-crypt for ebaniy secrets management --- .drone.yml | 16 +++++----------- .gitattributes | 1 + .sops.yaml | 7 ------- envs/common.env | Bin 3480 -> 39 bytes envs/prod.env | Bin 1514 -> 130 bytes envs/staging.env | Bin 1514 -> 130 bytes temp.env | 0 7 files changed, 6 insertions(+), 18 deletions(-) create mode 100644 .gitattributes delete mode 100644 .sops.yaml delete mode 100644 temp.env diff --git a/.drone.yml b/.drone.yml index 01705da..768d46f 100644 --- a/.drone.yml +++ b/.drone.yml @@ -9,15 +9,7 @@ trigger: - push steps: - - name: testing - image: python:3.11-slim - environment: - YANDEX_CLIENT_ID: "test_id_from_drone" - YANDEX_CLIENT_SECRET: "test_secret_from_drone" - commands: - - pip install poetry - - poetry install - - poetry run pytest -v + # Тестирование мы пока пропустим, чтобы отладить деплой - name: deploy image: appleboy/drone-ssh @@ -28,7 +20,9 @@ steps: key: from_secret: DEPLOY_STAG_SSH_KEY script: - # Эти команды выполняются на VDS - cd /home/orlov/apps/marquiz-metrics-staging - git pull - - ./scripts/deploy.sh # Просто запускаем наш умный скрипт \ No newline at end of file + # git-crypt сам расшифрует файлы после pull, так как мы сделали unlock на VDS + - cat envs/common.env envs/staging.env > .env.staging + - make staging-up + - echo "Deployment finished!" \ No newline at end of file diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..325c8a5 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +envs/*.env filter=git-crypt diff=git-crypt diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index 0d5c760..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,7 +0,0 @@ -creation_rules: - - path_regex: ^envs/(prod|staging)\.env$ - key_groups: - - age: - - age12dkajmj2n7cgqplt325aw89c63v9dq7e833rt4ceqwlh87xs6fcsz6xfc9 - - age1p69rx76d4dqpf5a54m66lptad5qks8r98vxyyd59hh7rwz203szq3hzgyz - encrypted_regex: '^(?!#).*' \ No newline at end of file diff --git a/envs/common.env b/envs/common.env index ef5f8a88f6ac1bf81a7592778979aa015d49d777..9058818ade2faf3dfb3d3d9deb9d499586813fac 100644 GIT binary patch literal 39 vcmZQ@_Y83kiVO&0u+UNPeP@^Ws6MvjfqnFi>2>>c4qv?x2PFX8sf{PkMCV~Sjshw|9spOwx769^6VoaZ&Vr|Qm8wQq z8LQVsYywvhXLKpg8{{`gbBa33(z@Bq2KD{tIn2M6oJ8!i7>TBt%)I2X+2RgA4x5i5 z{Wi_dfBbFghv_}c)A#qLoaT4%{k;u`_q2<@RH$w7o23JcbNi6Yn zG3q3a!A+0$E^vktL1$=lg?3G389>s*Ml5Dq_JmvQ2dJ3a3~LjF2EA4-Y~e%2(imxn`qT~gdZ8_^%#|3sl@X~%z{DNri)D9cGlxUZJSKL-dW9SWf9>$V zE(EQuN7vL438|0!yw1Xy2rJD-vFQiCx0QaI7{U>P*K0;cdX>z8vkwrV}EZ;)mM z)!E`ZE^`{MqcDW@IyL z3pZk=pj;AHvz7woql}0Yyo#uJDFxUcg+97pZilzJ{>;h?cH)JU3Y2K9ffRwn;==pg zUll0wg&vWkOFWfqr$57Rz?#u07=XR=uJ;^uWTea^7qSZ8s192ZS)&UC^q;!xMbZ<* zaJJ4rNlZ`DRt=U+r1pvq*TgUT4GIvbcZJkXH?j`yD=8hf$C6ToKl-ORUi zNSwyH{y6Nvk@!sGawyYo{*uQA1jl<~-bz*;yBe-nbiR__#(R264Z$J#XLqy~uU?NB z;lQ@sq@F$@u6j9{?q_GNSWoSl20y#i_ZEf)5b(okSk&|}q_sv7hWJGxxgswue$0et zGc1b^NvwskQoWVe>GOULW>2Z>nK3dmOmNjIPMBKb&-ZJ>X>R+Z%*r(R@q%L;2`=6Dq z*h6m&Q!l8qSL#Sj7b2s+m;r70wdIek+EE3|_+uk{)H$(*1h;b$&5b12a+P-n>z2wo z`Rfs&qdW~MlM=DxYV-y3Ezfs>I9iuH2OfzJs%>9sNvhT(s6#5(Lmp{Zd5PV6Xm*2| zA|rRV9Z_5&DwRBsg4Fq$<$mNyDef|c4HvAM$B^2ow5j`4RfMgKMW-iCmZO`%5?m$V z@CDzWkov47DCg)^3D2Ax3;2-~X!#fnFsF^6r>Srhzz%_JqV+e;mf)?ZI@}s+cZ^Kw znsc`tZB^P5c+>K>y)4cm%q&R?Y&`&A3xE4k8oxTUUPbkkH?)s!u|?Yh*c|8xW{}4Es0;AFWeT zlGsPII)jd428qB1fS|TvI$8}!#!C*HfUf-3=qSDu!@>CTc5$OBP~;;tzCdv4Ueo<~ z40D>iPfM1S`O{2)(P$&Cf+E8FrupW((odn+XE~~ zge`g4-r~=iHo2fnf4a8{&#unI0+*%}wm;iqO`lWQcV8C5Mcu{RKYa;1tlOifsCeo; zI^jBs*V^HFY$0Bzwu1^puiJ!EafTV61)Mv+VL4=LjRB9mHEr%XLtoJU+Ckc&7X$}eCuRGt|m_@B^DFe{lOtfHWiO~z4YvAvaE(xeg-S11s=;yFK;$` z?GxtJh_~)TNKR${TI0V6DZj6VSN9+|sl%$R;O-jd71mAM5@GkLrLzXkaH7qBmkWp{p06eeb+=udvIU(3VD(Y zBrSt(%>KfJc9oV4!3*61HZ75xZY4pOzh=SzLcnh=`Xd1YPCoZ5o}kG%WLSuyEsi(C z946RUPsEcX*8MmVj4X=lb30)Wna&X@&ipt(3HZZqhCvwn1tfk!KpRHBLD)AC2|i!@ zt3@e`N-M5ycA?!P&@sx5u1ZY}+MZ^m(iF}sGjL6L_wn6!hqavz)+;WRFt&qpGavVM zk15~3-X2*o5WM?L;VNEQovgUXRC66Cp6Q(%(=H7?MlceKDh2)Iq&o46E7YpY7-=2M{_^*kN{7U=^ G{q3LqyNuNU diff --git a/envs/prod.env b/envs/prod.env index 762a81d598cf99a78af1fa35e15d8c327eebb6b1..d9fe76599953796e71afd4ec6736217c1f665aa4 100644 GIT binary patch literal 130 zcmV-|0Db=eM@dveQdv+`0O&Q5+FgO3lnB<>I&*mS`)#${Mf$&w35HsE;r);k>T>PR z0^5-D&rF|cmGQU@9zAjzKWuBA$@S~X@5RIvW%tM34itN5B0R%Z|L4y+tqvAWR~f04 kU(g1EWOfkfw_5;VDl|gcFq+BxzO^$RF+8F24XI^K#MJpf@Bjb+ literal 1514 zcmcJP$*!YD07dux6`hw&lGj5~42CCJk3aiGh=3hzdlaCY&udlky6`R zlg>R=?g|N_bK!T2h|G&3EMKmG2|0|Tki;~FA;mI218Mrok|ak^O!)G_{cepR^15g) zUogk9Q4}x)?FUo<7Xe@+fXM|B1yRIt_~k=)tGkOIN0&>HcKrohE~Q^zq6#lR|25X4 zte}r8S^Ov>UUv_sD14NZo%k(0SMDh+b|-sqNtMPMy$&EX1f*K+NO$5>@Ty4hj7)3V z8|xBf(&OlO4_}^COHk<}2>o*v9 z7NZXdq+7aS=5^+slEd>3nPh5?cf+9GS;Bf9iBc7mcDWaIph0bG5NS@R)F{tdwj~Y? zp?p2w%L#91m-nBioU0jea0p+O0_~d3t}Ulf0pQbfYPGya!~+6bq08dd%B*&YGI+|SAkRtp?Ab|6!;q-Z1(F;J~ArzH>e zrY~yXls$d2#diZXh|+-MpiTYQTcKj*6k%lOZdtnWG{E$>NSrcXQro~O2((e50pdy9 zD3mY6TOqE%w&q5~D{}WPFOL0=#>1e%u@Y!r;?LEJV99xC#j5HNz%n%|Mno0ajtY^9 zu55I=^?qmX?p%W69QDX42fx4nHv|5z=z9ZdhHIw<6H;MQUumDFN`@)w-Vf;}@7R`O z$7!BJnoE*Jdw)Pcc8`Wk9`XEmH{ki?+qv$e@X|(cG%f%5>DM2A{Q1i-?`h$8eR&Jh zYZ`@12q66#u%Ai71mF!YZv^ALPb+=Ae0~(atwaOT%thw4PodxYZ-B)o$M#dPuCIB9 zq3*AFaur(5?ls7Gznhxjt2`e@%ji2JlHEoBINrSRE^LemZpz6S?cl13j>`%LYd4<7 z+Eydcwz-v}lMZj}^|gxEq>|!jaNOizgl=&J=^$9G=o*C5?M^5zI%SIcKO*U?+ox4*vw8l$#LZ`G3gLVz#u!=E9R B?Y#g1 diff --git a/envs/staging.env b/envs/staging.env index cc3c7f3d3911cd2cc89bfa572acaf152c9d7b86b..d9fe76599953796e71afd4ec6736217c1f665aa4 100644 GIT binary patch literal 130 zcmV-|0Db=eM@dveQdv+`0O&Q5+FgO3lnB<>I&*mS`)#${Mf$&w35HsE;r);k>T>PR z0^5-D&rF|cmGQU@9zAjzKWuBA$@S~X@5RIvW%tM34itN5B0R%Z|L4y+tqvAWR~f04 kU(g1EWOfkfw_5;VDl|gcFq+BxzO^$RF+8F24XI^K#MJpf@Bjb+ literal 1514 zcmcJPNw1?u6ovQwD>^TmB<}9VJUq#YY$z}uu$c{UVig5u9t@c2*T?DCn~v0*NU80q zd!&2LSLLo$5uC5WUID6kRmA1X4Pycxp)ep3O(BBf7|0Mbed9=y$0;Uw`QUyxV*o)1 z=JEycJQs#OgVWHbe1i2cF2oSY;-MdgJda*Jv{l_+VH94kdD3=Q?0PL=eGN;r{QS>Z z16ff&u4M2LsDkdEOdx)gls)(=UP{*q^1Wj}TyjgJjb8f%_3+7UxhLIGNU((>MU!e; zWdxQz%nYA?rp1 zj8l-b1j1d+2KotN@#GhIc_~q@&4CjnPz+>5#LUt1yZ~sEmGCtJ*=}!Oogz!FUUZse z+Ybaf*(Y7xH4oDv^RP>4rrtTUD#9kEwVid^4!2v~qIJ7a6En+pXL{0noy8wJ>?X#y zG3x49P^WY^s}Sx7?NTzG_gJf}NSl$BQ! zezJsUxxAELg9NJhFwQEg$JLM-ccwECetwt(VsxLBPj*4;Plrr89&*qJ4mBH2Mmk0A>7+&- zojQgY*xeR1KJqe2<6fz*#Dyli`8ENXDbtg(h~rB+3%Pk(ydKQPsSWe!%(w7n%u!M( z{nTfkwvdY3xh(c<0<5!QJhyV?Nc(RDe5>et0&0eDMwSVv;9lQoNK*yF~VKh_Sg~7E6qi|gQ^~>)+{ru~f-`>?6wp~#L z$t?+kC4mw2XN>zy;wFZ@VayxGdGFT>h?dWf;*S+D2%5Rd!r@Z@JNVZ4gHJu~f&%N2 zA({x38y#}e;*~LH3mfWk>#0@gFb4PFYLO2tlNFS;V99z&Rj;0pP?R`6n>YG-YWYZ} z?qX3n5@;YJozu9(`ndAW%0^z@k-LCd1y7GfTojv%!zD>SE&#Nv>OqvUbW-%*;8T_p zhE=Aeik36UW}kPiylN`wP|HtA|Ayp6IBGTHumQQ?w)2Yh@o;Ll=b=*vz^Wba@om>M zht+ENse{qmSxl>fGM?{|@FRa8@$Ks949llD)!|#)HGjSb)Q3%*ROOQVf@5EZ4}SxA CeecWw diff --git a/temp.env b/temp.env deleted file mode 100644 index e69de29..0000000