docs: init secrets

Author: GovanifY

docs/secrets.txt

@@ -0,0 +1,18 @@
+navi's secret handling setup
+
+navi's security model around secrets is composed of two distinct secret handling
+mechanisms. As they can be layered, we will call them layer01 and layer02.
+
+layer01 is git-crypt. It allows for public viewing of the infrastructure and
+uploading of secrets, including nix files, without them being compromised, all
+the while storing its versioning history. It also allows per machine, or groups of
+machines for that matter, setup of keys: this way only approved machines will be
+able to learn about the secret infrastructure of others, while still being able
+to decrypt its own.
+
+
+layer02 is agenix. Its purpose is different than git-crypt: NixOS, by design,
+needs to allow world readability on its store files, which can contain built
+assets of secrets by layer01. This is obviously unwanted in a case where, eg, a
+private ssh key is stored and can be used as an LPE mechanism by simply reading
+the /nix/store. This uses ssh keys.