Playbook: Add a Secret Entry

Name: Add or update a secret
Purpose: Place secrets in the correct SOPS file with secureHost gating.
Prerequisites: Target host(s) must have my.secureHost = true; identify secret type and consumer service/module.
Inputs: Secret name, target file (certs/env/gallery/homepage/keys/wireguard/secrets), owner/group if file material is written, consuming module path.
Steps:
1. Choose the correct secrets file from the map in docs/constitution.md and add the entry there (YAML, encrypted via sops-nix).
2. If a private key or file path is required, specify owner, group, and target path consistent with the consuming module.
3. In the consuming module, reference the secret under config.sops.secrets.<name> and guard with lib.mkIf config.my.secureHost.
4. For WireGuard entries, update secrets/wireguard.yaml and corresponding interface configuration under the target host.
5. Avoid adding secrets for hosts with secureHost = false; instead route the workload to a secure host or skip enablement.
Validation:
- Secret lives in the correct file and encrypts with SOPS; file ownership matches service user where applicable.
- Module references are gated by secureHost and align with host toggles.
Outputs: Updated secrets file and gated module references.
References: docs/constitution.md (Secrets Map and secureHost), docs/reference/index.md (Secrets Map, Hosts and Roles)