nixcfg/cluster/prod/app/plume/secrets.toml

[service_user."plume"]
password_secret = "plume/pgsql_pw"


[secrets."plume/secret_key"]
type = 'command'
rotate = true
command = 'openssl rand -base64 32'


# Plume backup

[secrets."plume/backup_restic_repository"]
type = 'user'
description = 'Restic repository'
example = 's3:https://s3.garage.tld'

[secrets."plume/backup_restic_password"]
type = 'user'
description = 'Restic password to encrypt backups'

[secrets."plume/backup_aws_secret_access_key"]
type = 'user'
description = 'Backup AWS secret access key'

[secrets."plume/backup_aws_access_key_id"]
type = 'user'
description = 'Backup AWS access key ID'