haccfiles/docs/secrets.md

+++
title = "Secrets"
categories = [ "services", "sops" ]
+++

## Secret management

We use [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets which we'd
like to have in Git but don't want to be public. Entries in `secrets.yaml` are
encrypted for each of the age keys listed in `.sops.yaml`, which are themselves
derived from ssh keys.

For the initial set up, please take a look at the sops-nix Readme file.

To edit the secrets file, run `sops secrets.yaml`, which will decrypt the
file & open it in your $EDITOR, then re-encrypt it when you're done.

To add a new key, use `ssh-to-age` to convert your ssh key to age, and add it to
`sops.yaml`. Then do `sops updatekeys secrets.yaml` to re-encrypt the file for
the new set of keys.
meta: new structure we decided to: - get rid of unused packages - simpify the directory layout since we only have one host anyways - move our docs (such as they are) in-tree 2024-01-11 21:53:02 +00:00			`+++`
			`title = "Secrets"`
			`categories = [ "services", "sops" ]`
			`+++`

			`## Secret management`

			`We use [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets which we'd`
			like to have in Git but don't want to be public. Entries in `secrets.yaml` are
			encrypted for each of the age keys listed in `.sops.yaml`, which are themselves
			`derived from ssh keys.`

			`For the initial set up, please take a look at the sops-nix Readme file.`

			To edit the secrets file, run `sops secrets.yaml`, which will decrypt the
			`file & open it in your $EDITOR, then re-encrypt it when you're done.`

			To add a new key, use `ssh-to-age` to convert your ssh key to age, and add it to
			`sops.yaml`. Then do `sops updatekeys secrets.yaml` to re-encrypt the file for
			`the new set of keys.`