- Replace gtfs/bokeh deploy with motief/streamlit (port 8501) - Update inventory to motief.sgeboers.nl - Remove stale .drone.yml - Add CI guard to forbid .env in repo - Add env removal report and secrets rotation checklistmain
parent
35f4667982
commit
c0d1c59bd7
@ -1,26 +0,0 @@ |
||||
kind: pipeline |
||||
type: docker |
||||
name: default |
||||
|
||||
steps: |
||||
- name: deploy |
||||
image: appleboy/drone-ssh |
||||
settings: |
||||
host: |
||||
from_secret: DEPLOY_HOST |
||||
port: |
||||
from_secret: DEPLOY_SSH_PORT |
||||
username: |
||||
from_secret: DEPLOY_USER |
||||
password: |
||||
from_secret: DEPLOY_PASSWORD |
||||
script: | |
||||
set -e |
||||
cd /home/webapps/motief |
||||
git pull origin main |
||||
uv sync |
||||
systemctl --user restart motief |
||||
|
||||
trigger: |
||||
branch: |
||||
- main |
||||
@ -0,0 +1,20 @@ |
||||
name: Forbid .env in repo |
||||
|
||||
on: |
||||
pull_request: |
||||
push: |
||||
|
||||
jobs: |
||||
check-no-env: |
||||
runs-on: ubuntu-latest |
||||
steps: |
||||
- name: Checkout |
||||
uses: actions/checkout@v4 |
||||
|
||||
- name: Fail if .env exists |
||||
run: | |
||||
if [ -f .env ]; then |
||||
echo ".env exists in repository root — failing build to avoid accidental secret exposure" >&2 |
||||
exit 1 |
||||
fi |
||||
shell: bash |
||||
@ -1,26 +1,26 @@ |
||||
--- |
||||
- name: deploy gtfs application |
||||
hosts: sgeboers.nl |
||||
- name: deploy motief application |
||||
hosts: motief.sgeboers.nl |
||||
remote_user: webapps |
||||
|
||||
tasks: |
||||
- name: make directories |
||||
- name: pull latest code |
||||
ansible.builtin.git: |
||||
repo: https://git.sgeboers.nl/sgeboers/gtfs.git |
||||
dest: ~/gtfs/code |
||||
repo: git@git.sgeboers.nl:sgeboers/motief.git |
||||
dest: ~/motief |
||||
clone: yes |
||||
force: yes |
||||
- name: install virtualenv |
||||
ansible.builtin.pip: |
||||
name: virtualenv |
||||
executable: pip3 |
||||
- name: install correct packages |
||||
ansible.builtin.pip: |
||||
requirements: ~/gtfs/code/requirements.txt |
||||
virtualenv: ~/gtfs/env |
||||
- name: stop old script |
||||
|
||||
- name: sync dependencies with uv |
||||
ansible.builtin.shell: |
||||
cmd: uv sync |
||||
chdir: ~/motief |
||||
|
||||
- name: stop existing streamlit process |
||||
ansible.builtin.shell: |
||||
cmd: kill $(ps aux | grep "bokeh serve" | grep -v grep | awk '{print $2}') || true |
||||
- name: start script |
||||
cmd: pkill -f "streamlit run Home.py" || true |
||||
|
||||
- name: start streamlit |
||||
ansible.builtin.shell: |
||||
cmd: . ~/gtfs/env/bin/activate; cd ~/gtfs/code; nohup bokeh serve main.py --allow-websocket-origin=sgeboers.nl:5006 --allow-websocket-origin=gtfs.sgeboers.nl & |
||||
cmd: nohup uv run streamlit run Home.py --server.port=8501 --server.address=0.0.0.0 & |
||||
chdir: ~/motief |
||||
|
||||
@ -1 +1 @@ |
||||
sgeboers.nl |
||||
motief.sgeboers.nl |
||||
|
||||
@ -0,0 +1,36 @@ |
||||
--- |
||||
date: 2026-03-28 |
||||
title: "Remove .env from tracking — report" |
||||
--- |
||||
|
||||
Summary |
||||
------- |
||||
|
||||
I removed `.env` from the repository index and added it to `.gitignore` to prevent accidental future commits. This was a non-destructive, forward-facing change — the repository history still contains prior commits that touched `.env`. |
||||
|
||||
What I ran |
||||
----------- |
||||
|
||||
- git rm --cached .env |
||||
- ensured `.gitignore` contains `.env` |
||||
- committed the change: chore(secrets): stop tracking .env and add to .gitignore |
||||
|
||||
Commits that referenced .env |
||||
---------------------------- |
||||
|
||||
These commits touched `.env` in the repository history (from git log --all -- .env): |
||||
|
||||
- 35f4667 2026-03-28 Sven Geboers chore(secrets): stop tracking .env and add to .gitignore |
||||
- 3551a82 2026-03-21 Sven Geboers feat(analysis): add 2D political compass and 2D trajectories |
||||
|
||||
Notes |
||||
----- |
||||
|
||||
- The `.env` file was removed from the index but remains in historical commits. If you need to remove it from history, we can perform a history rewrite (git-filter-repo or BFG) and force-push; this is destructive and requires coordination. |
||||
- I created a CI guard to fail builds if a `.env` file is present in the repository root (see .github/workflows/forbid-env.yml). This prevents accidental re-adding via pushes/PRs. |
||||
|
||||
Next steps (recommended) |
||||
------------------------ |
||||
|
||||
1. Rotate secrets that might have been in `.env` (see the secrets-rotation checklist next). This is mandatory if those keys were used anywhere publicly or in shared CI. |
||||
2. If you require history purge, reply confirming and I'll prepare a filter-repo run and the exact force-push sequence. |
||||
@ -0,0 +1,25 @@ |
||||
--- |
||||
date: 2026-03-28 |
||||
title: "Secrets rotation checklist" |
||||
--- |
||||
|
||||
Rotate these secrets if they were stored in `.env` or otherwise exposed: |
||||
|
||||
- OPENROUTER_API_KEY / OPENAI_API_KEY |
||||
- NPM_TOKEN |
||||
- DEPLOY SSH keys or passwords (DEPLOY_SSH_KEY, DEPLOY_PASSWORD) |
||||
- Any database credentials, API keys, or third-party service tokens |
||||
|
||||
Steps |
||||
----- |
||||
|
||||
1. Revoke the current tokens in each provider's dashboard. |
||||
2. Create new tokens/keys and store them in the repository secrets (GitHub Settings → Secrets). |
||||
3. Update any running services / CI variables to use the new tokens. |
||||
4. If you used SSH keys and replaced them, update the authorized_keys on the VPS and remove the old key. |
||||
|
||||
Verification |
||||
------------ |
||||
|
||||
- Use CI dry-run jobs that check connectivity and token validity. |
||||
- Run local commands that use the new tokens. |
||||
Loading…
Reference in new issue