From ca2d8184118062e94dcb02d04e2e690b6ddef211 Mon Sep 17 00:00:00 2001 From: Gabriel Arazas Date: Sun, 15 Jan 2023 13:40:08 +0800 Subject: [PATCH] docs: add section for things should be absent in the project README --- README.adoc | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/README.adoc b/README.adoc index 9c2ac289..f99dd8d1 100644 --- a/README.adoc +++ b/README.adoc @@ -135,6 +135,33 @@ Nothing special here. There's no use for anyone else, really. :( +=== What should not be here? + +Despite being a NixOS configuration, this is not meant to be fully reproducible by anyone. +There are still some things that would need to be privately held such as the following list of things not visible here. + +- Associated private keys: GPG, SSH, age, you name it. +They are used with a secret management tool (see <> for more information) to encrypt the more sensitive parts of the system such as credentials and environment files. + +- Disposable hosts configurations. +They will typically just make a messier mess than the current situation. + +Though the unreproducible part is only like 10% of the whole configuration, it can be successfully deployed by anyone. +Keep in mind, it comes with a few restrictions due to the lack of the appropriate credentials. + +- Certain tasks will not start. +Most of the project tasks found in this repo requires the associated private key with the task which are not found in this repo. +This is locked behind a secrets management tool. +An example would be the link:./modules/nixos/tasks/backup-archive[Borg backup task] where it needs several files and credentials locked from the secrets management tool. + +- Certain components will be missing. +Most notably, the associated SSH key for the hosts. +You won't be able to connect to the host if you don't have the private key. + +- Not to mention not all modules listed committed here are up-to-date. +Though this only applies to non-critical services like the link:./modules/nixos/tasks/multimedia-archive[multimedia archiving service]. + + === The remote repo For a complete overkill, we use a CI to further the configuration abomination. @@ -201,6 +228,7 @@ It is exported in the flakes at `outputs.homeConfigurations`. For more information, see the link:./users/README.adoc[related documentation]. +[#secrets-management] === Secrets management This repo uses link:https://github.com/mozilla/sops[sops] as the main secret management tool.