From 3f469c09f03b31ff092322103dfcd8ffa0a8d541 Mon Sep 17 00:00:00 2001
From: ahtlon <atlan@ahtlon.de>
Date: Thu, 14 Nov 2024 17:56:56 +0100
Subject: [PATCH] Add documentation describing how to add keys to sops

---
 doc/src/SUMMARY.md        |  1 +
 doc/src/anleitung/sops.md | 25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 doc/src/anleitung/sops.md

diff --git a/doc/src/SUMMARY.md b/doc/src/SUMMARY.md
index 6792fa4..e9dc6e0 100644
--- a/doc/src/SUMMARY.md
+++ b/doc/src/SUMMARY.md
@@ -12,5 +12,6 @@
             - [musik](./projekte/musik.md)
         - [TODO](./todo.md)
     - [How-to]()
+        - [Sops](./anleitung/sops.md)            
         - [Updates](./anleitung/updates.md)
         - [Rollbacks](./anleitung/rollback.md)
\ No newline at end of file
diff --git a/doc/src/anleitung/sops.md b/doc/src/anleitung/sops.md
new file mode 100644
index 0000000..e4ed319
--- /dev/null
+++ b/doc/src/anleitung/sops.md
@@ -0,0 +1,25 @@
+# Sops
+
+## How to add admin keys
+- Git:
+    - Generate gpg key
+    - Add public key to `./machines/secrets/keys/users/`
+    - Write the fingerprint of the gpg key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $FINGERPRINT`
+
+- Age:
+    - Generate age key for Sops:   
+      ```
+      $ mkdir -p ~/.config/sops/age
+      $ age-keygen -o ~/.config/sops/age/keys.txt
+      ```
+      or to convert an ssh ed25519 key to an age key
+      ```
+      $ mkdir -p ~/.config/sops/age
+      $ nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
+      ```
+    - Get public key using `$ age-keygen -y ~/.config/sops/age/keys.txt`
+    - Write public key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $PUBKEY`
+
+- Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to
+
+- Reencrypt existing secrets for the new key with `sops updatekeys` (kali is this right?)
\ No newline at end of file