jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
d7191f7a02a79694e4b7257d219d44528d92a1a3
NixOS/docs/playbooks/add-secret.md
Danilo Reyes d448e0f6c8 reviewing
2026-01-30 16:42:29 -06:00

1.4 KiB
Raw Blame History

Playbook: Add a Secret Entry

  • Name: Add or update a secret
  • Purpose: Place secrets in the correct SOPS file with secureHost gating.
  • Prerequisites: Target host(s) must have my.secureHost = true; identify secret type and consumer service/module.
  • Inputs: Secret name, target file (certs/env/gallery/homepage/keys/wireguard/secrets), owner/group if file material is written, consuming module path.
  • Steps:
    1. Choose the correct secrets file from the map in docs/constitution.md and add the entry there (YAML, encrypted via sops-nix).
    2. If a private key or file path is required, specify owner, group, and target path consistent with the consuming module.
    3. In the consuming module, reference the secret under config.sops.secrets.<name> and guard with lib.mkIf config.my.secureHost.
    4. For WireGuard entries, update secrets/wireguard.yaml and corresponding interface configuration under the target host.
    5. Avoid adding secrets for hosts with secureHost = false; instead route the workload to a secure host or skip enablement.
  • Validation:
    • Secret lives in the correct file and encrypts with SOPS; file ownership matches service user where applicable.
    • Module references are gated by secureHost and align with host toggles.
  • Outputs: Updated secrets file and gated module references.
  • References: docs/constitution.md (Secrets Map and secureHost), docs/reference/index.md (Secrets Map, Hosts and Roles)
Reference in New Issue View Git Blame Copy Permalink