From f51316ee524bea74abfaef4ffb84805c1ec8abf3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Thu, 20 Aug 2020 11:01:23 +0100
Subject: [PATCH] README: initrd secrets, real-world examples

---
 README.md | 32 +++++++++++++++++++++++---------
 1 file changed, 23 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 81af100..62b1ecd 100644
--- a/README.md
+++ b/README.md
@@ -121,7 +121,6 @@ If you use experimental nix flakes support:
 }
 ```
 
-
 ### 2. Generate a GPG key for yourself
 
 First generate yourself [a GPG key](https://docs.github.com/en/github/authenticating-to-github/generating-a-new-gpg-key) or use nix-sops
@@ -444,7 +443,6 @@ the service needs a token and a ssh private key to function:
 }
 ```
 
-
 ## Symlinks to other directories
 
 Some services might expect files in certain locations.
@@ -465,7 +463,6 @@ $ ls -la /var/lib/hass/secrets.yaml
 lrwxrwxrwx 1 root root 40 Jul 19 22:36 /var/lib/hass/secrets.yaml -> /run/secrets/home-assistant-secrets.yaml
 ```
 
-
 ## Different file formats
 
 At the moment we support the following file formats: YAML, JSON, binary
@@ -504,7 +501,6 @@ nix-sops allows to specify multiple sops files in different file formats:
 }
 ```
 
-
 ### YAML
 
 Open a new file with sops ending in `.yaml`:
@@ -616,7 +612,6 @@ This is how it can be included in your configuration.nix:
 }
 ```
 
-
 ## Use with GnuPG instead of ssh keys
 
 If you prefer having a separate GnuPG key, sops-nix also comes with a helper tool:
@@ -686,10 +681,6 @@ example the `drone` secret is exposed as `/run/secrets/drone-server` for
 }
 ```
 
-## Restart/Reload systemd services
-
-TODO
-
 ## Migrate from pass/krops
 
 If you have used [pass](https://www.passwordstore.org) before i.e. in [krops](https://github.com/krebs/krops) than you can use
@@ -700,3 +691,26 @@ $ for i in *.gpg; do echo "$(basename $i .gpg): |\n$(pass $(dirname $i)/$(basena
 ```
 
 Copy the output to the editor you have opened with sops.
+
+## Realworld Examples
+
+My [personal configuration](https://github.com/Mic92/dotfiles/tree/master/nixos) makes extensive usage of sops-nix.
+Each host has a [secrets](https://github.com/Mic92/dotfiles/tree/master/nixos/eve/secrets) directory containing secrets for the host.
+
+## Known limitations
+
+### Restarting systemd services
+
+Right now systemd services are not restarted automatically.
+We want to implement this in future.
+
+### Initrd secrets
+
+sops-nix does not fully support initrd secrets.
+This is because `nixos-rebuild switch` installs
+the bootloader before running sops-nix activation hook.
+At the moment it is be possible to run `nixos-rebuild test`
+before `nixos-rebuild switch` to provision initrd secrets key
+before the initrd secrets are built.
+In future we hope to extend nixos to allow keys to be
+provisioned in the bootloader install phase.