diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index 71b6026..0000000 --- a/.drone.yml +++ /dev/null @@ -1,26 +0,0 @@ -kind: pipeline -type: docker -name: default - -steps: - - name: deploy - image: appleboy/drone-ssh - settings: - host: - from_secret: DEPLOY_HOST - port: - from_secret: DEPLOY_SSH_PORT - username: - from_secret: DEPLOY_USER - password: - from_secret: DEPLOY_PASSWORD - script: | - set -e - cd /home/webapps/motief - git pull origin main - uv sync - systemctl --user restart motief - -trigger: - branch: - - main diff --git a/.github/workflows/forbid-env.yml b/.github/workflows/forbid-env.yml new file mode 100644 index 0000000..40f7969 --- /dev/null +++ b/.github/workflows/forbid-env.yml @@ -0,0 +1,20 @@ +name: Forbid .env in repo + +on: + pull_request: + push: + +jobs: + check-no-env: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Fail if .env exists + run: | + if [ -f .env ]; then + echo ".env exists in repository root — failing build to avoid accidental secret exposure" >&2 + exit 1 + fi + shell: bash diff --git a/ansible/deploy.yaml b/ansible/deploy.yaml index ecf6da9..b099dc5 100644 --- a/ansible/deploy.yaml +++ b/ansible/deploy.yaml @@ -1,26 +1,26 @@ --- -- name: deploy gtfs application - hosts: sgeboers.nl +- name: deploy motief application + hosts: motief.sgeboers.nl remote_user: webapps tasks: - - name: make directories + - name: pull latest code ansible.builtin.git: - repo: https://git.sgeboers.nl/sgeboers/gtfs.git - dest: ~/gtfs/code + repo: git@git.sgeboers.nl:sgeboers/motief.git + dest: ~/motief clone: yes force: yes - - name: install virtualenv - ansible.builtin.pip: - name: virtualenv - executable: pip3 - - name: install correct packages - ansible.builtin.pip: - requirements: ~/gtfs/code/requirements.txt - virtualenv: ~/gtfs/env - - name: stop old script + + - name: sync dependencies with uv + ansible.builtin.shell: + cmd: uv sync + chdir: ~/motief + + - name: stop existing streamlit process ansible.builtin.shell: - cmd: kill $(ps aux | grep "bokeh serve" | grep -v grep | awk '{print $2}') || true - - name: start script + cmd: pkill -f "streamlit run Home.py" || true + + - name: start streamlit ansible.builtin.shell: - cmd: . ~/gtfs/env/bin/activate; cd ~/gtfs/code; nohup bokeh serve main.py --allow-websocket-origin=sgeboers.nl:5006 --allow-websocket-origin=gtfs.sgeboers.nl & + cmd: nohup uv run streamlit run Home.py --server.port=8501 --server.address=0.0.0.0 & + chdir: ~/motief diff --git a/ansible/inventory.ini b/ansible/inventory.ini index a2d92df..b383206 100644 --- a/ansible/inventory.ini +++ b/ansible/inventory.ini @@ -1 +1 @@ -sgeboers.nl +motief.sgeboers.nl diff --git a/thoughts/shared/changes/2026-03-28-env-removal-report.md b/thoughts/shared/changes/2026-03-28-env-removal-report.md new file mode 100644 index 0000000..70a7b70 --- /dev/null +++ b/thoughts/shared/changes/2026-03-28-env-removal-report.md @@ -0,0 +1,36 @@ +--- +date: 2026-03-28 +title: "Remove .env from tracking — report" +--- + +Summary +------- + +I removed `.env` from the repository index and added it to `.gitignore` to prevent accidental future commits. This was a non-destructive, forward-facing change — the repository history still contains prior commits that touched `.env`. + +What I ran +----------- + +- git rm --cached .env +- ensured `.gitignore` contains `.env` +- committed the change: chore(secrets): stop tracking .env and add to .gitignore + +Commits that referenced .env +---------------------------- + +These commits touched `.env` in the repository history (from git log --all -- .env): + +- 35f4667 2026-03-28 Sven Geboers chore(secrets): stop tracking .env and add to .gitignore +- 3551a82 2026-03-21 Sven Geboers feat(analysis): add 2D political compass and 2D trajectories + +Notes +----- + +- The `.env` file was removed from the index but remains in historical commits. If you need to remove it from history, we can perform a history rewrite (git-filter-repo or BFG) and force-push; this is destructive and requires coordination. +- I created a CI guard to fail builds if a `.env` file is present in the repository root (see .github/workflows/forbid-env.yml). This prevents accidental re-adding via pushes/PRs. + +Next steps (recommended) +------------------------ + +1. Rotate secrets that might have been in `.env` (see the secrets-rotation checklist next). This is mandatory if those keys were used anywhere publicly or in shared CI. +2. If you require history purge, reply confirming and I'll prepare a filter-repo run and the exact force-push sequence. diff --git a/thoughts/shared/changes/2026-03-28-secrets-rotation-checklist.md b/thoughts/shared/changes/2026-03-28-secrets-rotation-checklist.md new file mode 100644 index 0000000..24612de --- /dev/null +++ b/thoughts/shared/changes/2026-03-28-secrets-rotation-checklist.md @@ -0,0 +1,25 @@ +--- +date: 2026-03-28 +title: "Secrets rotation checklist" +--- + +Rotate these secrets if they were stored in `.env` or otherwise exposed: + +- OPENROUTER_API_KEY / OPENAI_API_KEY +- NPM_TOKEN +- DEPLOY SSH keys or passwords (DEPLOY_SSH_KEY, DEPLOY_PASSWORD) +- Any database credentials, API keys, or third-party service tokens + +Steps +----- + +1. Revoke the current tokens in each provider's dashboard. +2. Create new tokens/keys and store them in the repository secrets (GitHub Settings → Secrets). +3. Update any running services / CI variables to use the new tokens. +4. If you used SSH keys and replaced them, update the authorized_keys on the VPS and remove the old key. + +Verification +------------ + +- Use CI dry-run jobs that check connectivity and token validity. +- Run local commands that use the new tokens.