diff options
author | Franck Cuny <franck@fcuny.net> | 2024-12-16 17:04:38 -0800 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2024-12-16 17:04:38 -0800 |
commit | 81c83679dcb73c58b651f2fd66e74c82bc7450b5 (patch) | |
tree | cbc3a65369f692e647fa9709e5552eb0bcd56921 | |
parent | enable per repository hooks (diff) | |
download | world-81c83679dcb73c58b651f2fd66e74c82bc7450b5.tar.gz |
add some notes about secrets
-rw-r--r-- | README.org | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/README.org b/README.org index 377e658..828bb77 100644 --- a/README.org +++ b/README.org @@ -1,5 +1,31 @@ Tools, scripts, and configurations for my machines. +* Secret management with =agenix= +We use =agenix= to manipulate our secrets. +** Create a new secret +To create a new secret: +#+begin_src sh +cd ../secrets +agenix -e <name of the secret>.age +#+end_src +** Manage the secrets +In [[file+sys:../secrets/secrets.nix][secrets.nix]] you need to add the secret and who need to have access to it. + +In the configuration for one of the host, you'll then need to add: +#+begin_src nix +age.secrets.restic = { + file = ../../../secrets/restic-backups.age; + owner = "root"; + group = "root"; + path = "/etc/restic/secret"; + mode = "600"; +}; +#+end_src +** Edit secrets +This is the easiest command to work with 1password: +#+begin_src sh +agenix -e restic-backups.age -i (op read "op://Personal/nixos/private key?ssh-format=openssh"|psub) +#+end_src * Services ** ddns-updater This service runs on =vm-synology=. |