# Secrets ```mermaid flowchart LR StackRepo[Stack repo secrets/] --> SOPS[SOPS ciphertext] SOPS -->|age recipient| HostKey["/etc/charlie/age.key"] HostKey --> Deploy[Deploy on target host] Deploy --> Plaintext["Plaintext env/config"] Plaintext --> Compose[docker compose] ``` | Area | Current state | | -------------- | -------------------------------------------------------- | | Stack secrets | SOPS-encrypted files under each stack repo's `secrets/`. | | Decryption | Target host decrypts with `/etc/charlie/age.key`. | | Admin recovery | Admin age key listed in every relevant `.sops.yaml`. | | Human vault | Vaultwarden stores human-facing secrets and PAT notes. | | Plaintext | Deploy-time only; ignored by Git. | ## Key material | Secret/key | Owner | Location | | -------------------------- | --------------- | ------------------------------------------------------------------------------------------------------------------ | | Host age private key | each host | `/etc/charlie/age.key` | | Host age public key | docs | [hosts](https://gitea.alexandru.macocian.me/Charlie/project-charlie/src/branch/main/docs/hosts.md#sops-recipients) | | Admin age private key | operator | vaultwarden Secure Note `Charlie SOPS admin age key` | | Registry RO PAT ciphertext | project-charlie | inline in `deploy-stack.yml` | ## PATs | Identity | Scope | Used for | | ------------------ | ----------------- | ------------------------------------------ | | `sys-gitea-runner` | `read:repository` | workflow/action fetches and host Git sync. | | `sys-gitea-runner` | `read:package` | registry pulls during deploy. | | `sys-host-` | `read:repository` | host-local root Git operations. | | `sys-host-` | `read:package` | host-local root registry pulls. | | caller user/org | `read:repository` | source-repo build workflow fetch/clone. | | caller user/org | `write:package` | source-repo image push. | Registry and repo credentials are separate on purpose.