From ed827d4f578cd070aa175968559fcf55790e0b6e Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Mon, 10 Feb 2025 17:27:59 +0100
Subject: [PATCH] add readme documentation on passwords

---
 README.md | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/README.md b/README.md
index 0c8eb1a..48f98ea 100644
--- a/README.md
+++ b/README.md
@@ -7,6 +7,46 @@
   - CCCHH Proxmox Address: https://10.31.210.248:8006/
 
 
+## Password & Secret Management
+
+This repository contains a sops configuration that is used for password encryption as well as secret management for our nix machines.
+
+### Passwords
+
+All relevant passwords should be stored in `secrets/passwords.yaml` which is a plain yaml document with no strict schema but which is sops encrypted.
+It should contain all relevant passwords, a NOC admin needs.
+
+#### Accessing Passwords
+
+```bash
+sops decrypt secrets/passwords.yaml
+```
+
+#### Adding/Updating Passwords
+
+```bash
+sops edit secrets/passwords.yaml
+```
+
+#### Authorizing new Users
+
+Sops supports either GPG or age encryption.
+I (Lilly) personally prefer age since it skips all the openpgp cli weirdness and having to import keys from their IDs.
+
+Adding a new age key works like this:
+
+1. `vim .sops.yaml` and enter the new key (preferably as a yaml anchor) under `keys` as well as the `creation_rule` for the passwords file.
+   Look at the existing file content and you'll figure it out.
+2. `sops updatekeys secrets/passwords.yaml` to reencrypt the password file with the newly added key.
+3. Commit and push changes.
+
+### Machine-Secrets
+
+See [sops-nix](https://github.com/Mic92/sops-nix)
+
+**TODO**
+
+
 ## VM Installation Instructions
 
 1. Create a new system configuration in the [systems/](./systems/) directory.