documentation: clean up

Delete gnome's keyring documentation, I will not be using it anymore, so
no need to keep this around.

Add documentation about how to manage secrets, and clean up wireguard's
documentation.

1 files changed, 29 insertions, 0 deletions

diff --git a/docs/secrets.org b/docs/secrets.org
new file mode 100644
index 0000000..5c350e0
--- /dev/null
+++ b/docs/secrets.org
@@ -0,0 +1,29 @@
+#+TITLE: Secrets
+
+* secrets
+** system
+Secrets at the system level are managed by [[https://github.com/ryantm/agenix][agenix]]. The secrets are encrypted with a couple of =age= keys. I do not use ssh keys to encrypt the secrets. Instead, I do the following:
+- each system has a key for the user root, and the secrets for that host are encoded with it as a recipient
+- on each workstation, my user (=fcuny=) has a key and the secrets for all the hosts are encrypted with it as a recipient
+- in addition, I've a backup key stored on a USB device, and I used its public key to encrypt all the secrets with it
+
+These keys are backed up on an external USB device and in passage. When re-provisioning a host, the keys are restored from the USB device or from passage itself.
+
+When provisioning a new host, a key for root (and my user if it's a workstation) is created and stored on the USB device and in passage.
+*** add a new secret
+#+begin_src sh
+nix run github:ryantm/agenix -- -i ~/.age/key.txt -e sendsms/sendsms.age
+#+end_src
+*** re-key secrets
+#+begin_src sh
+nix run github:ryantm/agenix -- -i ~/.age/key.txt -r
+#+end_src
+** home-manager
+Nothing for now.
+** passage
+I use [[https://github.com/FiloSottile/passage][passage]] to store passwords locally. The content of the store is pushed to a remote git repository, and I synchronized the store regularly to the USB device.
+* misc
+** GPG
+nop nop nop nop nop
+** keyring
+I don't need one anymore.