Files
Gebos/.sops.yaml
Klaus 2dd5ed5877
check / flake-check (pull_request) Has been cancelled
Add sops-nix secrets + dev defaults so local stack runs with zero setup
- sops-nix flake input, age + ssh-to-age in devShell, .sops.yaml with
  per-host recipients (real pubkeys still TODO until lars bootstraps).
- nix/modules/gebos-secrets.nix centralises per-host secret subsets and
  renders /run/secrets/gebos-env via sops.templates. Service modules now
  read EnvironmentFile= from services.gebos.secrets.envFile instead of
  the placeholder /etc/gebos/secrets.env.
- Falls back to a writeText env file when nix/secrets/secrets.yaml is
  absent, so `nix flake check` and first-boot eval work pre-bootstrap.
- nix/secrets/README.md walks through age key + sops bootstrap.
- Dev defaults: ingester binary falls back to local tcp/postgres URLs,
  process-compose adds mosquitto and wires GEBOS_MQTT_BROKER /
  GEBOS_POSTGRES_URL / GEBOS_POSTGRES_PASSWORD + VITE_SUPABASE_URL /
  VITE_SUPABASE_ANON_KEY, frontend defaults to 127.0.0.1:8000 in DEV.

Refs #23 (comment #110).
2026-05-30 00:17:13 +00:00

34 lines
1.4 KiB
YAML

# sops creation/decryption rules.
#
# Recipients listed here decide who can decrypt each key in
# nix/secrets/secrets.yaml. Each host gets only the keys it actually needs;
# every developer who edits secrets is also a recipient on the matching key.
#
# Hosts derive their age identity from /etc/ssh/ssh_host_ed25519_key via
# ssh-to-age. Run `nix run nixpkgs#ssh-to-age -- < /etc/ssh/ssh_host_ed25519_key.pub`
# on each host to get its age pubkey, then paste it below.
keys:
# ---- developers (laptops, hardware keys) ----
- &dev_lars age1TODO_lars_personal_age_pubkey_replace_me_before_first_real_secret
# ---- hosts (derived from each host's ssh_host_ed25519_key.pub via ssh-to-age) ----
- &host_db age1TODO_db_host_age_pubkey_replace_me
- &host_app age1TODO_app_host_age_pubkey_replace_me
- &host_ingest age1TODO_mqtt_ingest_host_age_pubkey_replace_me
creation_rules:
# Supabase compose stack → app-host only.
- path_regex: nix/secrets/secrets\.yaml$
encrypted_regex: ^(supabase_|ingester_|postgres_admin_)
key_groups:
- age:
- *dev_lars
- *host_db
- *host_app
- *host_ingest
# NOTE: a single key_group above lets every recipient decrypt every key.
# Per-host filtering will be tightened to one rule per prefix once real age
# pubkeys land — see nix/secrets/README.md for the rotation/bootstrap flow.