forked from hacc/haccfiles
stuebinm
41d82ae436
we decided to: - get rid of unused packages - simpify the directory layout since we only have one host anyways - move our docs (such as they are) in-tree
749 B
749 B
+++ title = "Secrets" categories = [ "services", "sops" ] +++
Secret management
We use sops-nix to manage secrets which we'd
like to have in Git but don't want to be public. Entries in secrets.yaml are
encrypted for each of the age keys listed in .sops.yaml, which are themselves
derived from ssh keys.
For the initial set up, please take a look at the sops-nix Readme file.
To edit the secrets file, run sops secrets.yaml, which will decrypt the
file & open it in your $EDITOR, then re-encrypt it when you're done.
To add a new key, use ssh-to-age to convert your ssh key to age, and add it to
sops.yaml. Then do sops updatekeys secrets.yaml to re-encrypt the file for
the new set of keys.