From f1f040397d8c0191a33c59bc22302f8989486bd6 Mon Sep 17 00:00:00 2001 From: DavHau Date: Tue, 28 May 2024 13:08:03 +0200 Subject: [PATCH] docs/secrets: improve chapter assigning access Since we already walk the user through creating a secret in an earlier step, it makes more sense explain first how to add machines/users to an existing secret instead of creating a new one --- docs/site/getting-started/secrets.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/site/getting-started/secrets.md b/docs/site/getting-started/secrets.md index d192a1c7..5f3be52c 100644 --- a/docs/site/getting-started/secrets.md +++ b/docs/site/getting-started/secrets.md @@ -106,17 +106,20 @@ In your nixos configuration you can get a path to secrets like this `config.sops ### Assigning Access -By default, secrets are encrypted for your key. To specify which users and machines can access a secret: +When using `clan secrets set ` without arguments, secrets are encrypted for the key of the user named like your current $USER. -```bash -clan secrets set --machine --machine --user --user -``` -You can also just add machines/users to existing secrets: +To add machines/users to an existing secret use: ```bash clan secrets machines add-secret ``` +Alternatively specify users and machines while creating a secret: + +```bash +clan secrets set --machine --machine --user --user +``` + ## Advanced In this section we go into more advanced secret management topics. @@ -188,11 +191,9 @@ Since our clan secret module will auto-import secrets that are encrypted for a p you can now remove `sops.secrets. = { };` unless you need to specify more options for the secret like owner/group of the secret file. - ## Indepth Explanation - The secrets system conceptually knows two different entities: - **Machine**: consumes secrets