34 lines
1.4 KiB
YAML
34 lines
1.4 KiB
YAML
# sops creation/decryption rules.
|
|
#
|
|
# Recipients listed here decide who can decrypt each key in
|
|
# nix/secrets/secrets.yaml. Each host gets only the keys it actually needs;
|
|
# every developer who edits secrets is also a recipient on the matching key.
|
|
#
|
|
# Hosts derive their age identity from /etc/ssh/ssh_host_ed25519_key via
|
|
# ssh-to-age. Run `nix run nixpkgs#ssh-to-age -- < /etc/ssh/ssh_host_ed25519_key.pub`
|
|
# on each host to get its age pubkey, then paste it below.
|
|
|
|
keys:
|
|
# ---- developers (laptops, hardware keys) ----
|
|
- &dev_lars age1TODO_lars_personal_age_pubkey_replace_me_before_first_real_secret
|
|
|
|
# ---- hosts (derived from each host's ssh_host_ed25519_key.pub via ssh-to-age) ----
|
|
- &host_db age1TODO_db_host_age_pubkey_replace_me
|
|
- &host_app age1TODO_app_host_age_pubkey_replace_me
|
|
- &host_ingest age1TODO_mqtt_ingest_host_age_pubkey_replace_me
|
|
|
|
creation_rules:
|
|
# Supabase compose stack → app-host only.
|
|
- path_regex: nix/secrets/secrets\.yaml$
|
|
encrypted_regex: ^(supabase_|ingester_|postgres_admin_|hivemq_)
|
|
key_groups:
|
|
- age:
|
|
- *dev_lars
|
|
- *host_db
|
|
- *host_app
|
|
- *host_ingest
|
|
|
|
# NOTE: a single key_group above lets every recipient decrypt every key.
|
|
# Per-host filtering will be tightened to one rule per prefix once real age
|
|
# pubkeys land — see nix/secrets/README.md for the rotation/bootstrap flow.
|