docs/secrets: document sops import

2023-09-21 15:32:56 +02:00 · 2023-09-21 15:32:56 +02:00 · f350bfd7fd
commit f350bfd7fd
parent 0540fb7103
1 changed files with 22 additions and 0 deletions
--- a/docs/secrets-management.md
+++ b/docs/secrets-management.md
@ -132,3 +132,25 @@ For convenience, Clan CLI allows group creation to simplify access management. H
   ```console
   $ clan secrets groups add-secret <group_name> <secret_name>
   ```
+
+# NixOS integration
+
+A NixOS machine will automatically import all secrets that were encrypted for the same.
+At runtime it will
+
+# Importing existing sops-based keys / sops-nix
+
+`clan secrets` stores each secrets in a single file, whereas [sops](https://github.com/Mic92/sops-nix)
+commonly allows to put all secrets in a yaml or json documents.
+
+If you already happend to use sops-nix, you can migrate by using the `clan secrets import-sops` command by importing these documents:
+
+```console
+% clan secrets import-sops --prefix matchbox- --group admins --machine matchbox nixos/matchbox/secrets/secrets.yaml
+```
+
+This will create secrets for each secret found in `nixos/matchbox/secrets/secrets.yaml` in a ./sops folder of your repository.
+Each member of the group `admins` will be able
+
+Since our clan secret module will auto-import secrets that are encrypted for a particular nixos machine,
+you can now remove `sops.secrets.<secrets> = { };` unless you need to specify more options for the secret like owner/group of the secret file.