c3d2/nix-config
c3d2
/
nix-config
23
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

README: detail sops

This commit is contained in:
Astro 2022-01-08 21:22:24 +01:00
parent b788033951
commit 9b86acecaa
1 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -128,7 +128,7 @@ Use the `nixprox.sh` script that should be copied to
Add your gpg-id to the .gpg-id file in secrets and let somebody reencrypt it for you. Add your gpg-id to the .gpg-id file in secrets and let somebody reencrypt it for you.
Maybe this works for you, maybe not. I did it somehow: Maybe this works for you, maybe not. I did it somehow:
``` ```bash
PASSWORD_STORE_DIR=`pwd` tr '\n' ' ' < .gpg-id | xargs -I{} pass init {} PASSWORD_STORE_DIR=`pwd` tr '\n' ' ' < .gpg-id | xargs -I{} pass init {}
``` ```
@ -137,15 +137,31 @@ This is necessary, so you can login to any machine with your gpg key.
## Secrets Management Using `sops-nix` ## Secrets Management Using `sops-nix`
### Adding a new host
Edit `secrets/.sops.yaml`:
1. Add an AGE key for this host. Comments in this file tell you how to
do it.
2. Add a `creation_rules` section for `host/$host/*yaml` files
### Editing a hosts secrets
Edit `secrets/.sops.yaml` to add files for a new host and its SSH pubkey. Edit `secrets/.sops.yaml` to add files for a new host and its SSH pubkey.
``` ```bash
# Enter the secrets flake
cd secrets cd secrets
# Get sops
nix develop nix develop
# Decrypt, start en EDITOR, encrypt
sops hosts/.../secrets.yaml sops hosts/.../secrets.yaml
# Push
git commit -a -m YOLO git commit -a -m YOLO
git push origin HEAD:master git push origin HEAD:master
# Go back to this flake
cd .. cd ..
# Update flake.lock file
nix flake lock . --update-input secrets nix flake lock . --update-input secrets
``` ```