README: detail sops
This commit is contained in:
parent
b788033951
commit
9b86acecaa
20
README.md
20
README.md
|
@ -128,7 +128,7 @@ Use the `nixprox.sh` script that should be copied to
|
||||||
Add your gpg-id to the .gpg-id file in secrets and let somebody reencrypt it for you.
|
Add your gpg-id to the .gpg-id file in secrets and let somebody reencrypt it for you.
|
||||||
Maybe this works for you, maybe not. I did it somehow:
|
Maybe this works for you, maybe not. I did it somehow:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
PASSWORD_STORE_DIR=`pwd` tr '\n' ' ' < .gpg-id | xargs -I{} pass init {}
|
PASSWORD_STORE_DIR=`pwd` tr '\n' ' ' < .gpg-id | xargs -I{} pass init {}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -137,15 +137,31 @@ This is necessary, so you can login to any machine with your gpg key.
|
||||||
|
|
||||||
## Secrets Management Using `sops-nix`
|
## Secrets Management Using `sops-nix`
|
||||||
|
|
||||||
|
### Adding a new host
|
||||||
|
|
||||||
|
Edit `secrets/.sops.yaml`:
|
||||||
|
|
||||||
|
1. Add an AGE key for this host. Comments in this file tell you how to
|
||||||
|
do it.
|
||||||
|
2. Add a `creation_rules` section for `host/$host/*yaml` files
|
||||||
|
|
||||||
|
### Editing a hosts secrets
|
||||||
|
|
||||||
Edit `secrets/.sops.yaml` to add files for a new host and its SSH pubkey.
|
Edit `secrets/.sops.yaml` to add files for a new host and its SSH pubkey.
|
||||||
|
|
||||||
```
|
```bash
|
||||||
|
# Enter the secrets flake
|
||||||
cd secrets
|
cd secrets
|
||||||
|
# Get sops
|
||||||
nix develop
|
nix develop
|
||||||
|
# Decrypt, start en EDITOR, encrypt
|
||||||
sops hosts/.../secrets.yaml
|
sops hosts/.../secrets.yaml
|
||||||
|
# Push
|
||||||
git commit -a -m YOLO
|
git commit -a -m YOLO
|
||||||
git push origin HEAD:master
|
git push origin HEAD:master
|
||||||
|
# Go back to this flake
|
||||||
cd ..
|
cd ..
|
||||||
|
# Update flake.lock file
|
||||||
nix flake lock . --update-input secrets
|
nix flake lock . --update-input secrets
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue