NewsecretsSecrets

Secrets v1.0.0 - Centralized Secrets Management for Revenexx

revenexx-secrets-v1

Every service in the Revenexx ecosystem — from backend APIs to CI/CD pipelines — depends on secrets: database credentials, API tokens, encryption keys, SMTP passwords. Until now, these lived scattered across GitHub Secrets, .env files, and team knowledge. That fragility ends with this release.

Secrets introduces a dedicated, self-hosted Infisical instance as the single source of truth for all environment variables and secrets across Revenexx teams and infrastructure. Any service, any environment, one place.

What this means for Revenexx

  • One place for all secrets — teams no longer duplicate credentials across repos and environments. Services pull what they need from secrets.revenexx.com.
  • Cross-team visibility — platform, backend, and DevOps teams can manage, rotate, and audit secrets through a shared UI instead of chasing down who has access to what.
  • Foundation for secure scaling — as Revenexx grows, every new service connects to the same secrets infrastructure. No more ad-hoc secret passing.

Infrastructure

  • Hetzner Cloud VM (CAX21 ARM, Ubuntu 24.04, nbg1)
  • Floating IP with persistent netplan configuration
  • Firewall restricted to ports 22, 80, 443
  • Terraform state managed via Terraform Cloud

Deployment & Configuration

  • Fully automated provisioning — a push to main runs Terraform + Ansible end-to-end, standing up the entire stack from zero
  • Production stack — Infisical v0.155.5, PostgreSQL 14, Redis on Docker Compose
  • Automatic TLS — Caddy reverse proxy with auto-certificates at secrets.revenexx.com
  • SMTP integration — full email pipeline (GitHub Secrets → Workflow → Ansible → env template → Infisical) for notifications and team invitations
  • Hardened by default — database and Redis internal-only, SSH allowlisted

Documentation & Catalog

  • Comprehensive README with architecture diagram, stack overview, and deployment guide
  • TechDocs via MkDocs (overview, deployment, secrets reference, Caddy TLS)
  • Backstage catalog-info.yaml with TechDocs annotation, GitHub integration, and service links
  • .rxmeta manifest for internal app discovery

Stats

14 commits · 19 files · ~1,100 lines added

Links