diff options
author | Franck Cuny <franck@fcuny.net> | 2023-12-14 17:54:52 -0800 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2023-12-14 17:54:52 -0800 |
commit | cd54909e6ef6faa27c3066100782acf7fd704890 (patch) | |
tree | 5953b23f268347051090b65aa14348d1a9802d37 /docs/secrets.org | |
parent | use the `update-flake-lock` to update nix flakes (diff) | |
download | world-cd54909e6ef6faa27c3066100782acf7fd704890.tar.gz |
update the main documentation
Delete unused/outdated documentations.
Diffstat (limited to 'docs/secrets.org')
-rw-r--r-- | docs/secrets.org | 29 |
1 files changed, 0 insertions, 29 deletions
diff --git a/docs/secrets.org b/docs/secrets.org deleted file mode 100644 index 5c350e0..0000000 --- a/docs/secrets.org +++ /dev/null @@ -1,29 +0,0 @@ -#+TITLE: Secrets - -* secrets -** system -Secrets at the system level are managed by [[https://github.com/ryantm/agenix][agenix]]. The secrets are encrypted with a couple of =age= keys. I do not use ssh keys to encrypt the secrets. Instead, I do the following: -- each system has a key for the user root, and the secrets for that host are encoded with it as a recipient -- on each workstation, my user (=fcuny=) has a key and the secrets for all the hosts are encrypted with it as a recipient -- in addition, I've a backup key stored on a USB device, and I used its public key to encrypt all the secrets with it - -These keys are backed up on an external USB device and in passage. When re-provisioning a host, the keys are restored from the USB device or from passage itself. - -When provisioning a new host, a key for root (and my user if it's a workstation) is created and stored on the USB device and in passage. -*** add a new secret -#+begin_src sh -nix run github:ryantm/agenix -- -i ~/.age/key.txt -e sendsms/sendsms.age -#+end_src -*** re-key secrets -#+begin_src sh -nix run github:ryantm/agenix -- -i ~/.age/key.txt -r -#+end_src -** home-manager -Nothing for now. -** passage -I use [[https://github.com/FiloSottile/passage][passage]] to store passwords locally. The content of the store is pushed to a remote git repository, and I synchronized the store regularly to the USB device. -* misc -** GPG -nop nop nop nop nop -** keyring -I don't need one anymore. |