# sops creation rules. Recipients:
#   host   — cc-ci's age key, derived from its ed25519 SSH host key (ssh-to-age).
#            Used at activation to decrypt into /run/secrets (sops-nix, age.sshKeyPaths).
#   master — off-box recovery/admin key; private half lives ONLY on the build host at
#            /srv/cc-ci/.sops/master-age.txt (never in this repo). Lets us re-key if cc-ci is lost.
keys:
  - &host   age1h90utdztfc23kx8ewrtrtk80mnddvrf8pg4ppej55rwwwupzhfvqhmp3qa
  - &master age1cmk26t9e30ls8594s8txgmf2exenydmntfxqpcd3qdqm3ru2lpnqpdkdz9
creation_rules:
  - path_regex: secrets/.*\.(yaml|json|env)$
    key_groups:
      - age:
          - *host
          - *master