From 09d4ea8429b93093f120de109134e33cfd279e68 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Fri, 10 Mar 2023 18:12:25 -0800 Subject: documentation: clean up Delete gnome's keyring documentation, I will not be using it anymore, so no need to keep this around. Add documentation about how to manage secrets, and clean up wireguard's documentation. --- docs/secrets.org | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 docs/secrets.org (limited to 'docs/secrets.org') diff --git a/docs/secrets.org b/docs/secrets.org new file mode 100644 index 0000000..5c350e0 --- /dev/null +++ b/docs/secrets.org @@ -0,0 +1,29 @@ +#+TITLE: Secrets + +* secrets +** system +Secrets at the system level are managed by [[https://github.com/ryantm/agenix][agenix]]. The secrets are encrypted with a couple of =age= keys. I do not use ssh keys to encrypt the secrets. Instead, I do the following: +- each system has a key for the user root, and the secrets for that host are encoded with it as a recipient +- on each workstation, my user (=fcuny=) has a key and the secrets for all the hosts are encrypted with it as a recipient +- in addition, I've a backup key stored on a USB device, and I used its public key to encrypt all the secrets with it + +These keys are backed up on an external USB device and in passage. When re-provisioning a host, the keys are restored from the USB device or from passage itself. + +When provisioning a new host, a key for root (and my user if it's a workstation) is created and stored on the USB device and in passage. +*** add a new secret +#+begin_src sh +nix run github:ryantm/agenix -- -i ~/.age/key.txt -e sendsms/sendsms.age +#+end_src +*** re-key secrets +#+begin_src sh +nix run github:ryantm/agenix -- -i ~/.age/key.txt -r +#+end_src +** home-manager +Nothing for now. +** passage +I use [[https://github.com/FiloSottile/passage][passage]] to store passwords locally. The content of the store is pushed to a remote git repository, and I synchronized the store regularly to the USB device. +* misc +** GPG +nop nop nop nop nop +** keyring +I don't need one anymore. -- cgit v1.2.3