stuebinm
41d82ae436
we decided to: - get rid of unused packages - simpify the directory layout since we only have one host anyways - move our docs (such as they are) in-tree
21 lines
749 B
Markdown
21 lines
749 B
Markdown
+++
|
|
title = "Secrets"
|
|
categories = [ "services", "sops" ]
|
|
+++
|
|
|
|
## Secret management
|
|
|
|
We use [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets which we'd
|
|
like to have in Git but don't want to be public. Entries in `secrets.yaml` are
|
|
encrypted for each of the age keys listed in `.sops.yaml`, which are themselves
|
|
derived from ssh keys.
|
|
|
|
For the initial set up, please take a look at the sops-nix Readme file.
|
|
|
|
To edit the secrets file, run `sops secrets.yaml`, which will decrypt the
|
|
file & open it in your $EDITOR, then re-encrypt it when you're done.
|
|
|
|
To add a new key, use `ssh-to-age` to convert your ssh key to age, and add it to
|
|
`sops.yaml`. Then do `sops updatekeys secrets.yaml` to re-encrypt the file for
|
|
the new set of keys.
|
|
|