jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
NixOS/docs/playbooks/enroll-vps.md
Danilo Reyes dbd3af3d0f new hosts vps
2026-02-03 15:31:47 -06:00

968 B
Raw Permalink Blame History

Playbook: Enroll VPS Secrets

  • Name: Enroll VPS secrets after first boot
  • Purpose: Enroll the vps host key and re-encrypt secrets so services can start.
  • Prerequisites: vps host booted and reachable; secure host; SOPS access on operator machine.
  • Inputs: vps host public key; secrets files under secrets/; repo checkout.
  • Steps:
    1. Retrieve the vps host public key from the running instance.
    2. Add the vps public key to SOPS recipients for the relevant secrets files.
    3. Re-encrypt secrets and commit updates as needed.
    4. Rebuild the vps host from an explicitly authorized operator machine.
  • Validation:
    • Services that require secrets start successfully after the rebuild.
    • SOPS decrypt succeeds on the vps host without manual intervention.
  • Outputs: Updated secrets files with the vps recipient; vps host with secrets available.
  • References: docs/constitution.md (Secrets Map and secureHost), docs/reference/index.md (Hosts and Roles)
Reference in New Issue View Git Blame Copy Permalink