# sops-nix wiring (D6 infra secrets). cc-ci decrypts secrets at activation using its own
# ed25519 SSH host key as the age identity (no separate key file to manage on the box).
# Encrypted material lives in ../secrets/*.yaml, committed and readable only by recipients
# listed in /.sops.yaml (host key + off-box master recovery key).
{ ... }:
{
  sops = {
    defaultSopsFile = ../secrets/secrets.yaml;
    # Decrypt using the host's SSH host key (converted to an age identity by sops-nix).
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    # Do not also look for a GPG key.
    gnupg.sshKeyPaths = [ ];

    # M0 proof secret — confirms the decrypt path works end to end. Real infra secrets
    # (Drone RPC, webhook HMAC, OAuth, registry creds) are added in their milestones.
    secrets.test_secret = { };
  };
}