File size: 3,039 Bytes
9c3ba60
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
"""Phase 6AM — encrypt / decrypt the NEXUS .env into a committable .env.enc.

All your API keys can live in the repo encrypted, decrypted only at runtime
with one master key (``NEXUS_SECRETS_KEY``). See ``backend/secrets_loader.py``.

Usage (run from the backend/ directory):

    # 1) Generate a master key (keep it secret; this is your ONE host secret):
    python -m scripts.secrets_crypt keygen

    # 2) Encrypt your filled-in .env -> .env.enc (commit .env.enc, NOT .env):
    python -m scripts.secrets_crypt encrypt --key <MASTER_KEY>
    #    (defaults: src=.env  dst=.env.enc)

    # 3) Sanity-check the round trip (prints decrypted plaintext to stdout):
    python -m scripts.secrets_crypt decrypt --key <MASTER_KEY>

On the host (Render/Fly) set a single secret:  NEXUS_SECRETS_KEY=<MASTER_KEY>
and commit .env.enc. The app decrypts it on boot.
"""

from __future__ import annotations

import argparse
import sys
from pathlib import Path

from cryptography.fernet import Fernet

_BACKEND = Path(__file__).resolve().parent.parent
_DEFAULT_SRC = _BACKEND / ".env"
_DEFAULT_ENC = _BACKEND / ".env.enc"


def _keygen() -> int:
    print(Fernet.generate_key().decode("utf-8"))
    return 0


def _encrypt(src: Path, dst: Path, key: str) -> int:
    if not src.is_file():
        print(f"error: source file not found: {src}", file=sys.stderr)
        return 2
    data = src.read_bytes()
    token = Fernet(key.encode("utf-8")).encrypt(data)
    dst.write_bytes(token)
    print(f"encrypted {src} -> {dst} ({len(token)} bytes). Safe to commit {dst.name}.")
    return 0


def _decrypt(enc: Path, key: str) -> int:
    if not enc.is_file():
        print(f"error: encrypted file not found: {enc}", file=sys.stderr)
        return 2
    try:
        plaintext = Fernet(key.encode("utf-8")).decrypt(enc.read_bytes()).decode("utf-8")
    except Exception as exc:  # noqa: BLE001
        print(f"error: decryption failed (wrong key?): {exc}", file=sys.stderr)
        return 1
    sys.stdout.write(plaintext)
    return 0


def main(argv: list[str] | None = None) -> int:
    parser = argparse.ArgumentParser(prog="secrets_crypt")
    sub = parser.add_subparsers(dest="cmd", required=True)

    sub.add_parser("keygen", help="generate a new Fernet master key")

    enc = sub.add_parser("encrypt", help="encrypt a plaintext env file")
    enc.add_argument("--src", type=Path, default=_DEFAULT_SRC)
    enc.add_argument("--dst", type=Path, default=_DEFAULT_ENC)
    enc.add_argument("--key", required=True)

    dec = sub.add_parser("decrypt", help="decrypt an encrypted env file to stdout")
    dec.add_argument("--src", type=Path, default=_DEFAULT_ENC)
    dec.add_argument("--key", required=True)

    args = parser.parse_args(argv)
    if args.cmd == "keygen":
        return _keygen()
    if args.cmd == "encrypt":
        return _encrypt(args.src, args.dst, args.key)
    if args.cmd == "decrypt":
        return _decrypt(args.src, args.key)
    return 2


if __name__ == "__main__":  # pragma: no cover
    raise SystemExit(main())