# Playbook: Enroll VPS Secrets

- Name: Enroll VPS secrets after first boot
- Purpose: Enroll the vps host key and re-encrypt secrets so services can start.
- Prerequisites: vps host booted and reachable; secure host; SOPS access on operator machine.
- Inputs: vps host public key; secrets files under `secrets/`; repo checkout.
- Steps:
  1. Retrieve the vps host public key from the running instance.
  2. Add the vps public key to SOPS recipients for the relevant secrets files.
  3. Re-encrypt secrets and commit updates as needed.
  4. Rebuild the vps host from an explicitly authorized operator machine.
- Validation:
  - Services that require secrets start successfully after the rebuild.
  - SOPS decrypt succeeds on the vps host without manual intervention.
- Outputs: Updated secrets files with the vps recipient; vps host with secrets available.
- References: `docs/constitution.md` (Secrets Map and secureHost), `docs/reference/index.md` (Hosts and Roles)