Commit 3e22cb5
Changed files (2)
secrets
secrets/README.md
@@ -0,0 +1,59 @@
+# Secret Management
+
+> [!NOTE]
+> This folder is **not** a module for password management. I use self-hosted [VaultWarden][vaultwarden] for password management.
+
+All my secrets are managed using [sops][sops] and stored under this folder. Secrets can be decrypted using either my PGP key or the host's SSH key (i.e., `/etc/ssh/ssh_host_ed25519_key`) and are stored in the `/run/secrets` directory on the machine.
+
+## Adding a New Host
+
+First, run:
+
+```sh
+nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+```
+
+## Creating Secrets
+
+Open the secret file in the terminal using sops:
+
+```sh
+sops secrets/base/secrets.yaml
+```
+
+Then edit and add new secret fields:
+
+```yaml
+this: "is a secret"
+and: { a: { nest: secret } }
+```
+
+Next, edit and add the field in `/secrets/base/default.nix`:
+
+```nix
+let
+ mapSecrets = keys:
+ builtins.listToAttrs (builtins.map (k: {
+ name = k;
+ value = {
+ format = "yaml";
+ sopsFile = ./secrets.yaml;
+ };
+ })
+ keys);
+in {
+ sops.secrets = mapSecrets [
+ "this"
+ "and/a/nest"
+ ];
+}
+```
+
+You can then access the secrets elsewhere using `config.sops.secrets.<name>` or `config.sops.placeholder.<name>`.
+
+## Creating a New Secret Type
+
+Add a new regex matching group in the `creation_rules` field of `.sops.yaml`.
+
+[sops]: https://github.com/getsops/sops
+[vaultwarden]: https://github.com/dani-garcia/vaultwarden
\ No newline at end of file
secrets/README.zh-CN.md
@@ -0,0 +1,59 @@
+# 机密管理
+
+> [!NOTE]
+> 此文件夹**不是**关于密码管理的模块,我使用自托管的 [VaultWarden][vaultwarden] 进行密码管理。
+
+我的所有机密都使用 [sops][sops] 进行管理,存储在这一文件夹下。机密可以通过我的 PGP 密钥或主机的 ssh 密钥(也就是 `/etc/ssh/ssh_host_ed25519_key`)进行解密,并存储在机器的 `/run/secrets` 目录下。
+
+## 添加新主机
+
+首先
+
+```sh
+nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+```
+
+## 创建机密
+
+在终端中使用 sops 打开机密所在的文件:
+
+```sh
+sops secrets/base/secrets.yaml
+```
+
+并编辑添加新的机密字段:
+
+```yaml
+this: "is a secret"
+and: { a: { nest: secret } }
+```
+
+随后在 `/secrets/base/default.nix` 中编辑添加该字段
+
+```nix
+let
+ mapSecrets = keys:
+ builtins.listToAttrs (builtins.map (k: {
+ name = k;
+ value = {
+ format = "yaml";
+ sopsFile = ./secrets.yaml;
+ };
+ })
+ keys);
+in {
+ sops.secrets = mapSecrets [
+ "this"
+ "and/a/nest"
+ ];
+}
+```
+
+即可在其他地方通过 `config.sops.secrets.<name>` 或 `config.sops.placeholder.<name>` 来调用机密。
+
+## 创建新机密类型
+
+在 `.sops.yaml` 中的 `creation_rules` 字段添加一个新的正则匹配组即可。
+
+[sops]: https://github.com/getsops/sops
+[vaultwarden]: https://github.com/dani-garcia/vaultwarden