# Secrets

Encrypted with [sops](https://github.com/getsops/sops) using the
host's age key.

## First-time setup on the server

1. Generate an age key for the host:
   ```
   sudo mkdir -p /var/lib/sops-nix
   sudo age-keygen -o /var/lib/sops-nix/key.txt
   sudo chmod 600 /var/lib/sops-nix/key.txt
   ```
2. Read the public key:
   ```
   sudo grep "public key" /var/lib/sops-nix/key.txt
   ```
3. On a workstation, put that public key into `.sops.yaml` at
   the repo root and encrypt `tide.yaml.example` into
   `tide.yaml`.

`tide.yaml` is encrypted and committed. `tide.yaml.example` is
the plaintext template.