README: detail sops

README.md

@@ -128,7 +128,7 @@ Use the `nixprox.sh` script that should be copied to
 Add your gpg-id to the .gpg-id file in secrets and let somebody reencrypt it for you.
 Maybe this works for you, maybe not. I did it somehow:
 
-```
+```bash
 PASSWORD_STORE_DIR=`pwd` tr '\n' ' ' < .gpg-id | xargs -I{} pass init {}
 ```
 
@@ -137,15 +137,31 @@ This is necessary, so you can login to any machine with your gpg key.
 
 ## Secrets Management Using `sops-nix`
 
+### Adding a new host
+
+Edit `secrets/.sops.yaml`:
+
+1. Add an AGE key for this host. Comments in this file tell you how to
+   do it.
+2. Add a `creation_rules` section for `host/$host/*yaml` files
+
+### Editing a hosts secrets
+
 Edit `secrets/.sops.yaml` to add files for a new host and its SSH pubkey.
 
-```
+```bash
+# Enter the secrets flake
 cd secrets
+# Get sops
 nix develop
+# Decrypt, start en EDITOR, encrypt
 sops hosts/.../secrets.yaml
+# Push
 git commit -a -m YOLO
 git push origin HEAD:master
+# Go back to this flake
 cd ..
+# Update flake.lock file
 nix flake lock . --update-input secrets
 ```