# sops creation/decryption rules. # # Recipients listed here decide who can decrypt each key in # nix/secrets/secrets.yaml. Each host gets only the keys it actually needs; # every developer who edits secrets is also a recipient on the matching key. # # Hosts derive their age identity from /etc/ssh/ssh_host_ed25519_key via # ssh-to-age. Run `nix run nixpkgs#ssh-to-age -- < /etc/ssh/ssh_host_ed25519_key.pub` # on each host to get its age pubkey, then paste it below. keys: # ---- developers (laptops, hardware keys) ---- - &dev_lars age1TODO_lars_personal_age_pubkey_replace_me_before_first_real_secret # ---- hosts (derived from each host's ssh_host_ed25519_key.pub via ssh-to-age) ---- - &host_db age1TODO_db_host_age_pubkey_replace_me - &host_app age1TODO_app_host_age_pubkey_replace_me - &host_ingest age1TODO_mqtt_ingest_host_age_pubkey_replace_me creation_rules: # Supabase compose stack → app-host only. - path_regex: nix/secrets/secrets\.yaml$ encrypted_regex: ^(supabase_|ingester_|postgres_admin_) key_groups: - age: - *dev_lars - *host_db - *host_app - *host_ingest # NOTE: a single key_group above lets every recipient decrypt every key. # Per-host filtering will be tightened to one rule per prefix once real age # pubkeys land — see nix/secrets/README.md for the rotation/bootstrap flow.