# sops creation/decryption rules. # # Recipients listed here decide who can decrypt each key in # nix/secrets/secrets.yaml. Each host gets only the keys it actually needs; # every developer who edits secrets is also a recipient on the matching key. # # Hosts derive their age identity from /etc/ssh/ssh_host_ed25519_key via # ssh-to-age. Run `nix run nixpkgs#ssh-to-age -- < /etc/ssh/ssh_host_ed25519_key.pub` # on each host to get its age pubkey, then paste it below. keys: # ---- developers (laptops, hardware keys) ---- - &dev_lars age1cx8ul285kjkzmnhw6skdstnzrxnnme4xkflknzn7yhv52fgxqevqkd66cn # ---- hosts (derived from each host's ssh_host_ed25519_key.pub via ssh-to-age) ---- - &host_db age1wpl3vz60tlt880p5fmfedr8c59dm4kf0czsacv0w5my706twuf5q9p0x43 - &host_app age1g57pznep69nlyv3sltz6k0sml47v68m03gh68jkqwcq4jdx68vtsvnefq0 - &host_ingest age190gu75rf3ra89mhk27xe3tv87tad087altqhugjlhkerqwe2jfqsnu738d creation_rules: # Supabase compose stack → app-host only. - path_regex: nix/secrets/secrets\.yaml$ encrypted_regex: ^(supabase_|ingester_|postgres_admin_|emqx_) key_groups: - age: - *dev_lars - *host_db - *host_app - *host_ingest # NOTE: a single key_group above lets every recipient decrypt every key. # Per-host filtering will be tightened to one rule per prefix once real age # pubkeys land — see nix/secrets/README.md for the rotation/bootstrap flow.