# Playbook: Add a Secret Entry

- Name: Add or update a secret
- Purpose: Place secrets in the correct SOPS file with secureHost gating.
- Prerequisites: Target host(s) must have `my.secureHost = true`; identify secret type and consumer service/module.
- Inputs: Secret name, target file (certs/env/gallery/homepage/keys/wireguard/secrets), owner/group if file material is written, consuming module path.
- Steps:
  1. Choose the correct secrets file from the map in `docs/constitution.md` and add the entry there (YAML, encrypted via sops-nix).
  2. If a private key or file path is required, specify `owner`, `group`, and target path consistent with the consuming module.
  3. In the consuming module, reference the secret under `config.sops.secrets.<name>` and guard with `lib.mkIf config.my.secureHost`.
  4. For WireGuard entries, update `secrets/wireguard.yaml` and corresponding interface configuration under the target host.
  5. Avoid adding secrets for hosts with `secureHost = false`; instead route the workload to a secure host or skip enablement.
- Validation:
  - Secret lives in the correct file and encrypts with SOPS; file ownership matches service user where applicable.
  - Module references are gated by `secureHost` and align with host toggles.
- Outputs: Updated secrets file and gated module references.
- References: `docs/constitution.md` (Secrets Map and secureHost), `docs/reference/index.md` (Secrets Map, Hosts and Roles)