34 lines
1.4 KiB
YAML
34 lines
1.4 KiB
YAML
# sops creation/decryption rules.
|
|
#
|
|
# Recipients listed here decide who can decrypt each key in
|
|
# nix/secrets/secrets.yaml. Each host gets only the keys it actually needs;
|
|
# every developer who edits secrets is also a recipient on the matching key.
|
|
#
|
|
# Hosts derive their age identity from /etc/ssh/ssh_host_ed25519_key via
|
|
# ssh-to-age. Run `nix run nixpkgs#ssh-to-age -- < /etc/ssh/ssh_host_ed25519_key.pub`
|
|
# on each host to get its age pubkey, then paste it below.
|
|
|
|
keys:
|
|
# ---- developers (laptops, hardware keys) ----
|
|
- &dev_lars age1cx8ul285kjkzmnhw6skdstnzrxnnme4xkflknzn7yhv52fgxqevqkd66cn
|
|
|
|
# ---- hosts (derived from each host's ssh_host_ed25519_key.pub via ssh-to-age) ----
|
|
- &host_db age1wpl3vz60tlt880p5fmfedr8c59dm4kf0czsacv0w5my706twuf5q9p0x43
|
|
- &host_app age1g57pznep69nlyv3sltz6k0sml47v68m03gh68jkqwcq4jdx68vtsvnefq0
|
|
- &host_ingest age190gu75rf3ra89mhk27xe3tv87tad087altqhugjlhkerqwe2jfqsnu738d
|
|
|
|
creation_rules:
|
|
# Supabase compose stack → app-host only.
|
|
- path_regex: nix/secrets/secrets\.yaml$
|
|
encrypted_regex: ^(supabase_|ingester_|postgres_admin_|emqx_)
|
|
key_groups:
|
|
- age:
|
|
- *dev_lars
|
|
- *host_db
|
|
- *host_app
|
|
- *host_ingest
|
|
|
|
# NOTE: a single key_group above lets every recipient decrypt every key.
|
|
# Per-host filtering will be tightened to one rule per prefix once real age
|
|
# pubkeys land — see nix/secrets/README.md for the rotation/bootstrap flow.
|