M0 complete: sops-nix wiring + decrypt-a-test-secret; M0 gate CLAIMED

Host decrypts /run/secrets/test_secret via its ssh host key (age identity); off-box master recovery recipient. sops-nix pinned to a buildGoModule-era rev for nixpkgs 24.11 compat. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 21:41:45 +01:00
parent 9bffb55b28
commit deb4a0fbed
12 changed files with 154 additions and 11 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,14 @@
+# sops creation rules. Recipients:
+#   host   — cc-ci's age key, derived from its ed25519 SSH host key (ssh-to-age).
+#            Used at activation to decrypt into /run/secrets (sops-nix, age.sshKeyPaths).
+#   master — off-box recovery/admin key; private half lives ONLY on the build host at
+#            /srv/cc-ci/.sops/master-age.txt (never in this repo). Lets us re-key if cc-ci is lost.
+keys:
+  - &host   age1h90utdztfc23kx8ewrtrtk80mnddvrf8pg4ppej55rwwwupzhfvqhmp3qa
+  - &master age1cmk26t9e30ls8594s8txgmf2exenydmntfxqpcd3qdqm3ru2lpnqpdkdz9
+creation_rules:
+  - path_regex: secrets/.*\.(yaml|json|env)$
+    key_groups:
+      - age:
+          - *host
+          - *master