feat: that waw easy:

.env.project

@@ -0,0 +1,43 @@
+# Project configuration
+# TODO (amiller68): i should be kinda to myself and
+#  write a bin/config that validates this according to the
+#  notes i have here.
+
+# the name of your project -- this will control
+#  the naming of resources and apps, as well
+#  as parameterize where we read env vars from
+#  in 1password
+# NOTE (amiller68): do not try to change this after you initialize
+#  workspaces, dev envs, and infra!
+# Idt it would strictly *break* anything, but might result in some
+#  PITA bugs
+PROJECT_NAME=krondor-generic
+
+# the name of the vault we will load cloud
+#  provider credentials from
+# NOTE (amiller68): this should exist in your op account, managed by an admin
+# this basically describes the 'keys to the infra kingdom'
+# you should come up with a more a better way to secure these providers
+# on a dedicated account once your project is actually up and running.
+CLOUD_VAULT=cloud-providers
+
+#  List of services (must match config/deploy/*.yml files)
+#  Format: service_name:subdomain (empty subdomain = root domain)
+#  Where subdomain describes where the service will be deployed
+#  relative to DNS_ROOT_ZONE
+# e.g. these will deploy to <root-dns-name>,app.<root-dns-name> for production
+# SERVICES="static:,ts-web:ts,py:app"
+SERVICES="static:generic,py:py.generic,ts-web:ts.generic"
+
+# Container registry configuration
+#  Whether to use private repositories on Docker Hub
+USE_PRIVATE_REPOS=false
+
+# DNS configuration
+#  Root domain for your project.
+# We use cloudflare for our DNS service,
+#  So this should point to a root zone within your
+#  cloudflare account that you configure in your
+#  cloud provider vault. See .env.vault for more details
+# TODO (amiller68): replace with better branded domain
+DNS_ROOT_ZONE=krondor.org

.env.vault

@@ -0,0 +1,51 @@
+# TODO (amiller68): docs describing how to get stuff from here injectable in kamal
+#  it is potentially a little annoying
+
+# Slug to describe what stage to load your environment from in op
+# These variables should be gauranteed by:
+#  - project config
+#  - and our scripts that source this file
+VAULT_SLUG=${PROJECT_NAME}-${STAGE}
+
+# Cloud provider credentials
+#  We assume that the `CLOUD_VAULT` var is exported
+#  before you source this
+# Everything in here in theory should be portable to other
+#  projects you might manage in the same cloud provider.
+
+# Terraform Cloud API token for workspace management.
+#  This account will be set up with a new org for the project
+#  Set up with new workspaces for all of our stages.
+TF_TOKEN=op://${CLOUD_VAULT}/TERRAFORM_CLOUD_API_TOKEN/credential
+
+# Docker Hub Access Token for container registry
+#  This account will host
+DOCKER_HUB_USERNAME=op://${CLOUD_VAULT}/DOCKER_HUB_LOGIN/username
+# NOTE (amiller68): annoyingly this has to be your full ass docker hub password.
+#  I am big assuming that if the project you're building off of this is any way successful
+#  you will do something more secure, or have a more production friendly container registry
+DOCKER_HUB_PASSWORD=op://${CLOUD_VAULT}/DOCKER_HUB_LOGIN/credential
+DOCKER_HUB_TOKEN=op://${CLOUD_VAULT}/DOCKER_HUB_TOKEN/credential
+
+# For managing DNS zones across your account in Cloudflare
+#  This account must:
+#  - own the root dns zone name you set up in .env.project
+#  - have permissions to manage its DNS config
+CLOUDFLARE_API_TOKEN=op://${CLOUD_VAULT}/CLOUDFLARE_DNS_API_TOKEN/credential
+
+# NOTE (amiller68): i mapped the var name since the TF DigitalOcean provider expects DIGITALOCEAN_TOKEN
+#  for deploying droplets on Digital Ocean
+# Api token with access to a Digital Ocean Account
+#  This account will end up owning the created resources.
+#  It should have billing set up and have enough limits to deploy a few droplets
+DIGITALOCEAN_TOKEN=op://${CLOUD_VAULT}/DO_API_TOKEN/credential
+
+# App Configs
+#  Everything below is stuff you need to power your applications.
+#  These should be configured by stage
+
+# /py
+
+# Google OAuth Client
+GOOGLE_O_AUTH_CLIENT_ID=op://${VAULT_SLUG}/GOOGLE_O_AUTH_CLIENT/username
+GOOGLE_O_AUTH_CLIENT_SECRET=op://${VAULT_SLUG}/GOOGLE_O_AUTH_CLIENT/credential