reviewing
This commit is contained in:
Danilo Reyes
17
docs/playbooks/add-secret.md
Normal file
17
docs/playbooks/add-secret.md
Normal file
@@ -0,0 +1,17 @@
|
||||
# Playbook: Add a Secret Entry
|
||||
|
||||
- Name: Add or update a secret
|
||||
- Purpose: Place secrets in the correct SOPS file with secureHost gating.
|
||||
- Prerequisites: Target host(s) must have `my.secureHost = true`; identify secret type and consumer service/module.
|
||||
- Inputs: Secret name, target file (certs/env/gallery/homepage/keys/wireguard/secrets), owner/group if file material is written, consuming module path.
|
||||
- Steps:
|
||||
1. Choose the correct secrets file from the map in `docs/constitution.md` and add the entry there (YAML, encrypted via sops-nix).
|
||||
2. If a private key or file path is required, specify `owner`, `group`, and target path consistent with the consuming module.
|
||||
3. In the consuming module, reference the secret under `config.sops.secrets.<name>` and guard with `lib.mkIf config.my.secureHost`.
|
||||
4. For WireGuard entries, update `secrets/wireguard.yaml` and corresponding interface configuration under the target host.
|
||||
5. Avoid adding secrets for hosts with `secureHost = false`; instead route the workload to a secure host or skip enablement.
|
||||
- Validation:
|
||||
- Secret lives in the correct file and encrypts with SOPS; file ownership matches service user where applicable.
|
||||
- Module references are gated by `secureHost` and align with host toggles.
|
||||
- Outputs: Updated secrets file and gated module references.
|
||||
- References: `docs/constitution.md` (Secrets Map and secureHost), `docs/reference/index.md` (Secrets Map, Hosts and Roles)
|
||||
Reference in New Issue
Block a user