# Sops

## How to add admin keys
- Git:
    - Generate gpg key
    - Add public key to `./machines/secrets/keys/users/`
    - Write the fingerprint of the gpg key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $FINGERPRINT`

- Age:
    - Generate age key for Sops:   
      ```
      $ mkdir -p ~/.config/sops/age
      $ age-keygen -o ~/.config/sops/age/keys.txt
      ```
      or to convert an ssh ed25519 key to an age key
      ```
      $ mkdir -p ~/.config/sops/age
      $ nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
      ```
    - Get public key using `$ age-keygen -y ~/.config/sops/age/keys.txt`
    - Write public key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $PUBKEY`

- Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to

- `cd machines/` and reencrypt existing secrets for the new key with `sops updatekeys $path/to/secrets.yaml`

## How to add host keys
If a new host is created we have to add its age keys to the sops config.
Do the following:
```bash
# ssh into the host and run:
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# create new host with the output of that command in /machines/.sops.yaml
```