17 lines
968 B
Markdown
17 lines
968 B
Markdown
# Playbook: Enroll VPS Secrets
|
|
|
|
- Name: Enroll VPS secrets after first boot
|
|
- Purpose: Enroll the vps host key and re-encrypt secrets so services can start.
|
|
- Prerequisites: vps host booted and reachable; secure host; SOPS access on operator machine.
|
|
- Inputs: vps host public key; secrets files under `secrets/`; repo checkout.
|
|
- Steps:
|
|
1. Retrieve the vps host public key from the running instance.
|
|
2. Add the vps public key to SOPS recipients for the relevant secrets files.
|
|
3. Re-encrypt secrets and commit updates as needed.
|
|
4. Rebuild the vps host from an explicitly authorized operator machine.
|
|
- Validation:
|
|
- Services that require secrets start successfully after the rebuild.
|
|
- SOPS decrypt succeeds on the vps host without manual intervention.
|
|
- Outputs: Updated secrets files with the vps recipient; vps host with secrets available.
|
|
- References: `docs/constitution.md` (Secrets Map and secureHost), `docs/reference/index.md` (Hosts and Roles)
|