feat(maevsi): turn firebase service account credentials into secret

Author: dargmuesli

README.md

@@ -54,6 +54,10 @@ This project is deployed in accordance to the [DargStack template](https://githu
 
     The cloud computing provider's user credentials.
 
+ - ### `maevsi_firebase-service-account-credentials`
+    
+    The notification provider's service account credentials.
+    
  - ### `maevsi_openai-api-key`
 
     The AI provider's API key.

src/development/stack.yml

@@ -22,6 +22,9 @@ secrets:
   maevsi_aws-credentials:
     # The cloud computing provider's user credentials.
     file: ./secrets/maevsi/aws-credentials.secret
+  maevsi_firebase-service-account-credentials:
+    # The notification provider's service account credentials.
+    file: ../production/secrets/maevsi/firebase-service-account-credentials.secret
   maevsi_openai-api-key:
     # The AI provider's API key.
     file: ../production/secrets/maevsi/openai-api-key.secret
@@ -188,8 +191,6 @@ services:
     environment:
       AWS_REGION: ${MAEVSI_AWS_REGION}
       CONSOLA_LEVEL: 4 # debug #DARGSTACK-REMOVE
-      FIREBASE_SERVICE_ACCOUNT_CREDENTIALS: ${MAEVSI_FIREBASE_SERVICE_ACCOUNT_CREDENTIALS}
-      NUXT_PRIVATE_API_NOTIFICATION_SECRET: ${MAEVSI_NUXT_PRIVATE_API_NOTIFICATION_SECRET}
       NUXT_PUBLIC_GTAG_ID: ${MAEVSI_NUXT_PUBLIC_GTAG_ID}
       NUXT_PUBLIC_I18N_BASE_URL: https://${STACK_DOMAIN}
       NUXT_PUBLIC_MAEVSI_EMAIL_LIMIT24H: ${MAEVSI_NUXT_PUBLIC_MAEVSI_EMAIL_LIMIT24H}
@@ -202,6 +203,8 @@ services:
         target: /run/environment-variables/NUXT_PRIVATE_API_NOTIFICATION_SECRET
       - source: maevsi_aws-credentials
         target: /home/node/.aws/credentials # TODO: switch to user `node`
+      - source: maevsi_firebase-service-account-credentials
+        target: /run/environment-variables/FIREBASE_SERVICE_ACCOUNT_CREDENTIALS
       - source: maevsi_openai-api-key
         target: /run/environment-variables/NUXT_PRIVATE_OPENAI_API_KEY
       - source: maevsi_turnstile-key

src/production/production.yml

@@ -68,8 +68,6 @@ services:
         - traefik.http.routers.maevsi_beta_secure.tls.certresolver=default
     environment:
       AWS_REGION: ${MAEVSI_AWS_REGION}
-      FIREBASE_SERVICE_ACCOUNT_CREDENTIALS: ${MAEVSI_FIREBASE_SERVICE_ACCOUNT_CREDENTIALS}
-      NUXT_PRIVATE_API_NOTIFICATION_SECRET: ${MAEVSI_NUXT_PRIVATE_API_NOTIFICATION_SECRET}
       NUXT_PUBLIC_GTAG_ID: ${MAEVSI_NUXT_PUBLIC_GTAG_ID}
       NUXT_PUBLIC_I18N_BASE_URL: https://${STACK_DOMAIN}
       NUXT_PUBLIC_MAEVSI_EMAIL_LIMIT24H: ${MAEVSI_NUXT_PUBLIC_MAEVSI_EMAIL_LIMIT24H}
@@ -82,6 +80,8 @@ services:
         target: /run/environment-variables/NUXT_PRIVATE_API_NOTIFICATION_SECRET
       - source: maevsi_aws-credentials
         target: /home/node/.aws/credentials # TODO: switch to user `node`
+      - source: maevsi_firebase-service-account-credentials
+        target: /run/environment-variables/FIREBASE_SERVICE_ACCOUNT_CREDENTIALS
       - source: maevsi_openai-api-key
         target: /run/environment-variables/NUXT_PRIVATE_OPENAI_API_KEY
       - source: maevsi_turnstile-key

src/production/secrets/maevsi/firebase-service-account-credentials.secret.template

@@ -0,0 +1,13 @@
+{
+  "type": "service_account",
+  "project_id": "maevsi-3f373",
+  "private_key_id": "<private-key-id>",
+  "private_key": "<private-key>",
+  "client_email": "firebase-adminsdk-fbsvc@maevsi-3f373.iam.gserviceaccount.com",
+  "client_id": "<client-id>",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-fbsvc%40maevsi-3f373.iam.gserviceaccount.com",
+  "universe_domain": "googleapis.com"
+}