about summary refs log tree commit diff
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2024-12-16 17:04:38 -0800
committerFranck Cuny <franck@fcuny.net>2024-12-16 17:04:38 -0800
commit81c83679dcb73c58b651f2fd66e74c82bc7450b5 (patch)
treecbc3a65369f692e647fa9709e5552eb0bcd56921
parentenable per repository hooks (diff)
downloadworld-81c83679dcb73c58b651f2fd66e74c82bc7450b5.tar.gz
add some notes about secrets
-rw-r--r--README.org26
1 files changed, 26 insertions, 0 deletions
diff --git a/README.org b/README.org
index 377e658..828bb77 100644
--- a/README.org
+++ b/README.org
@@ -1,5 +1,31 @@
 Tools, scripts, and configurations for my machines.
 
+* Secret management with =agenix=
+We use =agenix= to manipulate our secrets.
+** Create a new secret
+To create a new secret:
+#+begin_src sh
+cd ../secrets
+agenix -e <name of the secret>.age
+#+end_src
+** Manage the secrets
+In [[file+sys:../secrets/secrets.nix][secrets.nix]] you need to add the secret and who need to have access to it.
+
+In the configuration for one of the host, you'll then need to add:
+#+begin_src nix
+age.secrets.restic = {
+  file = ../../../secrets/restic-backups.age;
+  owner = "root";
+  group = "root";
+  path = "/etc/restic/secret";
+  mode = "600";
+};
+#+end_src
+** Edit secrets
+This is the easiest command to work with 1password:
+#+begin_src sh
+agenix -e restic-backups.age -i (op read "op://Personal/nixos/private key?ssh-format=openssh"|psub)
+#+end_src
 * Services
 ** ddns-updater
 This service runs on =vm-synology=.