From 434ee6c8b69eb8a82ead0c37aa12a28c9f8fd845 Mon Sep 17 00:00:00 2001
From: Superredstone <patrickcanal3@gmail.com>
Date: Wed, 4 Mar 2026 22:55:20 +0100
Subject: [PATCH] docs(secrets): add secrets

---
 README.md         |  3 ++-
 secrets/README.md | 21 +++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 secrets/README.md

diff --git a/README.md b/README.md
index e3acc7b..131cb80 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,8 @@ git clone git@github.com:Superredstone/nixos.git ~/.nixos && cd .nixos
 	];
 }
 ```
-5) Switch to the new configuration
+5) Follow `secrets/README.md`
+6) Switch to the new configuration
 ```bash
 HOSTNAME=HOSTNAME just switch
 ```
diff --git a/secrets/README.md b/secrets/README.md
new file mode 100644
index 0000000..00021e1
--- /dev/null
+++ b/secrets/README.md
@@ -0,0 +1,21 @@
+# Secrets
+
+## Add a new machine 
+1) Obtain an age identity
+```bash
+nix run nixpkgs#ssh-to-age -- \
+  -private-key \
+  -i $HOME/.ssh/id_ed25519 \
+  -o $HOME/.config/sops/age/keys.txt
+```
+
+2) Obtain age recipient for the machine
+```bash
+cat /etc/ssh/ssh_host_ed25519_key.pub | nix run nixpkgs#ssh-to-age | wl-copy
+```
+
+3) Paste obtained key into `.sops.yaml`
+4) Re-encrypt old files 
+```bash
+sops updatekeys secrets/default.sops.yaml
+```