Files
Gebos/.sops.yaml
T
2026-06-29 17:22:43 +02:00

34 lines
1.4 KiB
YAML

# sops creation/decryption rules.
#
# Recipients listed here decide who can decrypt each key in
# nix/secrets/secrets.yaml. Each host gets only the keys it actually needs;
# every developer who edits secrets is also a recipient on the matching key.
#
# Hosts derive their age identity from /etc/ssh/ssh_host_ed25519_key via
# ssh-to-age. Run `nix run nixpkgs#ssh-to-age -- < /etc/ssh/ssh_host_ed25519_key.pub`
# on each host to get its age pubkey, then paste it below.
keys:
# ---- developers (laptops, hardware keys) ----
- &dev_lars age1cx8ul285kjkzmnhw6skdstnzrxnnme4xkflknzn7yhv52fgxqevqkd66cn
# ---- hosts (derived from each host's ssh_host_ed25519_key.pub via ssh-to-age) ----
- &host_db age1wpl3vz60tlt880p5fmfedr8c59dm4kf0czsacv0w5my706twuf5q9p0x43
- &host_app age1g57pznep69nlyv3sltz6k0sml47v68m03gh68jkqwcq4jdx68vtsvnefq0
- &host_ingest age190gu75rf3ra89mhk27xe3tv87tad087altqhugjlhkerqwe2jfqsnu738d
creation_rules:
# Supabase compose stack → app-host only.
- path_regex: nix/secrets/secrets\.yaml$
encrypted_regex: ^(supabase_|ingester_|postgres_admin_|hivemq_)
key_groups:
- age:
- *dev_lars
- *host_db
- *host_app
- *host_ingest
# NOTE: a single key_group above lets every recipient decrypt every key.
# Per-host filtering will be tightened to one rule per prefix once real age
# pubkeys land — see nix/secrets/README.md for the rotation/bootstrap flow.