firefox-syncserver: init
This commit is contained in:
@@ -98,6 +98,7 @@ Each service file in `services/` follows this structure:
|
||||
- **git-crypt**: `secrets/` directory and `usb-secrets/usb-secrets-key*` are encrypted (see `.gitattributes`)
|
||||
- **agenix**: secrets declared in `modules/age-secrets.nix`, decrypted at runtime to `/run/agenix/`
|
||||
- **Identity**: USB drive at `/mnt/usb-secrets/usb-secrets-key`
|
||||
- **Encrypting new secrets**: The agenix encryption key is in `usb-secrets/usb-secrets-key` (SSH private key, git-crypt encrypted). To create a new secret: derive the age public key with `ssh-keygen -y -f usb-secrets/usb-secrets-key | ssh-to-age`, then encrypt with `age -r <public-key> -o secrets/<name>.age`.
|
||||
- Never read or commit plaintext secrets. Never log secret values.
|
||||
|
||||
### Important Patterns
|
||||
|
||||
Reference in New Issue
Block a user