forked from c3d2/nix-config
README: detail sops
This commit is contained in:
parent
b788033951
commit
9b86acecaa
20
README.md
20
README.md
|
@ -128,7 +128,7 @@ Use the `nixprox.sh` script that should be copied to
|
|||
Add your gpg-id to the .gpg-id file in secrets and let somebody reencrypt it for you.
|
||||
Maybe this works for you, maybe not. I did it somehow:
|
||||
|
||||
```
|
||||
```bash
|
||||
PASSWORD_STORE_DIR=`pwd` tr '\n' ' ' < .gpg-id | xargs -I{} pass init {}
|
||||
```
|
||||
|
||||
|
@ -137,15 +137,31 @@ This is necessary, so you can login to any machine with your gpg key.
|
|||
|
||||
## Secrets Management Using `sops-nix`
|
||||
|
||||
### Adding a new host
|
||||
|
||||
Edit `secrets/.sops.yaml`:
|
||||
|
||||
1. Add an AGE key for this host. Comments in this file tell you how to
|
||||
do it.
|
||||
2. Add a `creation_rules` section for `host/$host/*yaml` files
|
||||
|
||||
### Editing a hosts secrets
|
||||
|
||||
Edit `secrets/.sops.yaml` to add files for a new host and its SSH pubkey.
|
||||
|
||||
```
|
||||
```bash
|
||||
# Enter the secrets flake
|
||||
cd secrets
|
||||
# Get sops
|
||||
nix develop
|
||||
# Decrypt, start en EDITOR, encrypt
|
||||
sops hosts/.../secrets.yaml
|
||||
# Push
|
||||
git commit -a -m YOLO
|
||||
git push origin HEAD:master
|
||||
# Go back to this flake
|
||||
cd ..
|
||||
# Update flake.lock file
|
||||
nix flake lock . --update-input secrets
|
||||
```
|
||||
|
||||
|
|
Loading…
Reference in New Issue