feat: try rework

secrets/README.md

@@ -0,0 +1,56 @@
+# Encrypted Secrets
+
+This directory is intended for encrypted secret files managed with sops.
+
+Phase 1 notes:
+- Keep encrypted files in git under `secrets/`.
+- Do not commit plaintext secret material.
+- Update `.sops.yaml` recipients before creating real secrets.
+
+Typical next step:
+1. Set real age recipients in `.sops.yaml`.
+2. Fill the template YAML files with real secret values.
+3. Encrypt them in place using `sops`.
+
+## Phase 3 expected file
+
+Create these encrypted files:
+
+- `secrets/autossh/remote_proxy_key`
+- `secrets/autossh/remote_proxy_known_hosts`
+- `secrets/openssh/authorized_keys`
+
+Expected YAML keys:
+
+- `qbittorrent.vpn.username`
+- `qbittorrent.vpn.password`
+
+These are materialized at runtime to:
+
+- `/run/secrets/autossh/remote_proxy_key`
+- `/run/secrets/autossh/remote_proxy_known_hosts`
+- `/run/secrets/openssh_authorized_keys`
+
+File secrets are stored as encrypted whole files, so the decrypted runtime content is exactly the file body. That is the right choice for bigger files like SSH private keys and known_hosts files.
+
+`config/secrets.nix` is the source of truth for the tree, and `config/sops.nix` is derived from it.
+
+## How to encrypt them
+
+Fill in the placeholders, then run:
+
+```bash
+sops -e -i secrets/autossh/remote_proxy_key
+sops -e -i secrets/autossh/remote_proxy_known_hosts
+sops -e -i secrets/openssh/authorized_keys
+```
+
+For scalar secrets such as `secrets/qbittorrent/vpn.yaml`, use the same command and keep the YAML structure.
+
+## Template files to fill
+
+- `secrets/autossh/remote_proxy.yaml`
+- `secrets/qbittorrent/vpn.yaml`
+- `secrets/openssh/authorized_keys.yaml`
+
+After editing, encrypt each file in place with `sops -e -i <file>`.