yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

POC

Browse Source
This commit is contained in:
Johannes Kirschbauer
2025-09-17 14:32:46 +02:00
parent ae28196039
commit be4cd657c9
79 changed files with 19525 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
docs/site/guides/secrets.md
View File

@@ -17,7 +17,7 @@ Clan can also be configured to be used with other secret store [backends](../ref
To get started, you'll need to create **your admin keypair**.
!!! info
:::info
Don't worry — if you've already made one before, this step won't change or overwrite it.
```bash
@@ -33,7 +33,7 @@ Generated age private key at '/home/joerg/.config/sops/age/keys.txt' for your us
Also add your age public key to the repository with 'clan secrets users add YOUR_USER age1wkth7uhpkl555g40t8hjsysr20drq286netu8zptw50lmqz7j95sw2t3l7' (replace YOUR_USER with your actual username)
```
!!! warning
:::warning
Make sure to keep a safe backup of the private key you've just created.
If it's lost, you won't be able to get to your secrets anymore because they all need the admin key to be unlocked.
@@ -47,7 +47,7 @@ Alternatively, you can provide your [age] secret key as an environment variable
using `SOPS_AGE_KEY_FILE`.
For more information see the [SOPS] guide on [encrypting with age].
!!! note
:::note
It's safe to add any secrets created by the clan CLI and placed in your repository to version control systems like `git`.
## Add Your Public Key(s)
@@ -68,7 +68,7 @@ sops/
```
If you followed the quickstart tutorial all necessary secrets are initialized at this point.
!!! note
:::note
You can add multiple age keys for a user by providing multiple `--age-key <your_public_key>` flags:
```console
@@ -260,7 +260,7 @@ The secrets system conceptually knows two different entities:
**A machine** Can decrypt secrets that where encrypted specifically for that machine.
!!! Danger
:::Danger
**Always make sure at least one _User_ has access to a secret**. Otherwise you could lock yourself out from accessing the secret.
### Inherited implications
@@ -275,8 +275,9 @@ By default clan uses [sops](https://github.com/getsops/sops) through [sops-nix](
- **Machine key-pairs are auto-generated**: When a machine is created **no user-interaction is required** to setup public/private key-pairs.
- **secrets are re-encrypted**: In case machines, users or groups are modified secrets get re-encrypted on demand.
!!! Important
After revoking access to a secret you should also change the underlying secret. i.e. change the API key, or the password.
:::caution
After revoking access to a secret you should also change the underlying secret. i.e. change the API key, or the password.
:::
---