18 lines
1.4 KiB
Markdown
18 lines
1.4 KiB
Markdown
# Playbook: Add a Secret Entry
|
|
|
|
- Name: Add or update a secret
|
|
- Purpose: Place secrets in the correct SOPS file with secureHost gating.
|
|
- Prerequisites: Target host(s) must have `my.secureHost = true`; identify secret type and consumer service/module.
|
|
- Inputs: Secret name, target file (certs/env/gallery/homepage/keys/wireguard/secrets), owner/group if file material is written, consuming module path.
|
|
- Steps:
|
|
1. Choose the correct secrets file from the map in `docs/constitution.md` and add the entry there (YAML, encrypted via sops-nix).
|
|
2. If a private key or file path is required, specify `owner`, `group`, and target path consistent with the consuming module.
|
|
3. In the consuming module, reference the secret under `config.sops.secrets.<name>` and guard with `lib.mkIf config.my.secureHost`.
|
|
4. For WireGuard entries, update `secrets/wireguard.yaml` and corresponding interface configuration under the target host.
|
|
5. Avoid adding secrets for hosts with `secureHost = false`; instead route the workload to a secure host or skip enablement.
|
|
- Validation:
|
|
- Secret lives in the correct file and encrypts with SOPS; file ownership matches service user where applicable.
|
|
- Module references are gated by `secureHost` and align with host toggles.
|
|
- Outputs: Updated secrets file and gated module references.
|
|
- References: `docs/constitution.md` (Secrets Map and secureHost), `docs/reference/index.md` (Secrets Map, Hosts and Roles)
|