ackama · eoinkelly · Aug 31, 2024 · May 25, 2024 · May 25, 2024 · May 25, 2024
diff --git a/variants/backend-base/config/app.yml b/variants/backend-base/config/app.yml
@@ -1,15 +1,26 @@
 # Be sure to restart your server when you modify this file.
 #
-# Use this file to load non-sensitive app config from ENV. Config values here
-# will be loaded into `Rails.application.config.app`.
-#
-# Sensitive config should be put in `config/secrets.yml` (which will load it
-# into `Rails.application.secrets`)
+# Use this file to load configuration values from the environment, which will
+# be accessible by the app through `Rails.application.config.app`
+
+default: &default
+  # Your secret key is used for verifying the integrity of signed cookies.
+  # If you change this key, all old signed cookies will become invalid!
+  # Make sure the secret is at least 30 characters and all random,
+  # no regular words, or you'll be exposed to dictionary attacks.
+  # You can use `rails secret` to generate a secure secret key.
+  secret_key_base: "<%= ENV.fetch('RAILS_SECRET_KEY_BASE') %>"
 
-default:
-  &default # The default `From:` address to use for email sent by this application
+  # The default `From:` address to use for email sent by this application
   mail_from: "<%= ENV['MAIL_FROM'] %>"
 
+  active_record_encryption_primary_key:
+    "<%= ENV.fetch('ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY') %>"
+  active_record_encryption_deterministic_key:
+    "<%= ENV.fetch('ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY') %>"
+  active_record_encryption_key_derivation_salt:
+    "<%= ENV.fetch('ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT') %>"
+
 development:
   <<: *default
 

diff --git a/variants/backend-base/config/application.rb b/variants/backend-base/config/application.rb
@@ -17,17 +17,17 @@
     # load config/app.yml into Rails.application.config.app.*
     config.app = config_for(:app)
 
+    # pull the secret_key_base from our app config
+    config.secret_key_base = config.app.secret_key_base
+
     config.middleware.insert_before Rack::Sendfile, HttpBasicAuth
     config.action_dispatch.default_headers["Permissions-Policy"] = "interest-cohort=()"
 
-    # ActiveRecord encrypted attributes expectes to find the key secrets under
-    # `config.active_record.encryption.*`. If the secrets were stored in Rails
-    # encrypted credentials file then Rails would map them automatically for us.
-    # We prefer to store the secrets in the ENV and load them through
-    # `config/secrets.yml` so we have to manually assign them here.
-    config.active_record.encryption.primary_key = Rails.application.secrets.active_record_encryption_primary_key
-    config.active_record.encryption.deterministic_key = Rails.application.secrets.active_record_encryption_deterministic_key
-    config.active_record.encryption.key_derivation_salt = Rails.application.secrets.active_record_encryption_key_derivation_salt
+    # Configure the encryption key for ActiveRecord encrypted attributes with values from our app config,
+    # as Rails only automatically picks them up if they're sourced from `config/credentials.yml.enc`
+    config.active_record.encryption.primary_key = Rails.application.config.app.active_record_encryption_primary_key
+    config.active_record.encryption.deterministic_key = Rails.application.config.app.active_record_encryption_deterministic_key
+    config.active_record.encryption.key_derivation_salt = Rails.application.config.app.active_record_encryption_key_derivation_salt
 
     config.action_dispatch.default_headers["X-Frame-Options"] = "DENY"
 

diff --git a/variants/backend-base/config/initializers/content_security_policy.rb b/variants/backend-base/config/initializers/content_security_policy.rb
@@ -40,9 +40,9 @@
   #   `*_src` method.
   #
   # asset_host = if Rails.env.development? || Rails.env.test?
-  #                "http://#{Rails.application.secrets.asset_host}"
+  #                "http://#{Rails.application.config.app.asset_host}"
   #              else
-  #                "https://#{Rails.application.secrets.asset_host}"
+  #                "https://#{Rails.application.config.app.asset_host}"
   #              end
   # policy.default_src :self, asset_host
 

diff --git a/variants/backend-base/config/secrets.yml b/variants/backend-base/config/secrets.yml
diff --git a/variants/backend-base/config/template.rb b/variants/backend-base/config/template.rb
@@ -2,7 +2,6 @@
 
 template "variants/backend-base/config/database.yml.tt", "config/database.yml", force: true
 
-copy_file "variants/backend-base/config/secrets.yml", "config/secrets.yml", force: true
 copy_file "variants/backend-base/config/app.yml", "config/app.yml"
 remove_file "config/master.key"
 remove_file "config/credentials.yml.enc"