From 4305c1bc1390146940a29c622bf39a23eb6d416f Mon Sep 17 00:00:00 2001
From: Henrik Jess Nielsen <lrihni@egmont.com>
Date: Sat, 23 May 2026 00:58:44 +0200
Subject: [PATCH] fix: inject secrets from Consul KV via Nomad template (not
 baked in image)

---
 .gitea/workflows/deploy.yml | 12 ------------
 moneycapp-tink-demo.nomad   | 12 ++++++++++++
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index b916551..521e1c6 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -25,18 +25,6 @@ jobs:
         run: |
           echo "${{ secrets.HARBOR_ROBOT_TOKEN }}" | docker login registry.i80.dk -u "robot\$gitserver" --password-stdin
 
-      - name: Write production env
-        run: |
-          cat > .env.production << 'ENVEOF'
-          TINK_CLIENT_ID=${{ secrets.TINK_CLIENT_ID }}
-          TINK_CLIENT_SECRET=${{ secrets.TINK_CLIENT_SECRET }}
-          TINK_REDIRECT_URI=https://tink-demo.i80.dk/callback
-          APP_BASE_URL=https://tink-demo.i80.dk
-          DEMO_MODE=false
-          ENVEOF
-          # Strip leading spaces
-          sed -i 's/^[[:space:]]*//' .env.production
-
       - name: Build and push image
         run: |
           SHA=$(echo "$GITHUB_SHA" | cut -c1-8)
diff --git a/moneycapp-tink-demo.nomad b/moneycapp-tink-demo.nomad
index 3bc4614..32146a9 100644
--- a/moneycapp-tink-demo.nomad
+++ b/moneycapp-tink-demo.nomad
@@ -34,6 +34,18 @@ job "tink-demo" {
         ports      = ["http"]
       }
 
+      template {
+        data = <<EOH
+TINK_CLIENT_ID="{{ key "tink-demo/TINK_CLIENT_ID" }}"
+TINK_CLIENT_SECRET="{{ key "tink-demo/TINK_CLIENT_SECRET" }}"
+TINK_REDIRECT_URI="https://tink-demo.i80.dk/callback"
+APP_BASE_URL="https://tink-demo.i80.dk"
+DEMO_MODE="false"
+EOH
+        destination = "secrets/app.env"
+        env         = true
+      }
+
       resources {
         cpu    = 256
         memory = 256