autonomic-bot
deb4a0fbed
Host decrypts /run/secrets/test_secret via its ssh host key (age identity); off-box master recovery recipient. sops-nix pinned to a buildGoModule-era rev for nixpkgs 24.11 compat. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
15 lines
681 B
YAML
15 lines
681 B
YAML
# sops creation rules. Recipients:
|
|
# host — cc-ci's age key, derived from its ed25519 SSH host key (ssh-to-age).
|
|
# Used at activation to decrypt into /run/secrets (sops-nix, age.sshKeyPaths).
|
|
# master — off-box recovery/admin key; private half lives ONLY on the build host at
|
|
# /srv/cc-ci/.sops/master-age.txt (never in this repo). Lets us re-key if cc-ci is lost.
|
|
keys:
|
|
- &host age1h90utdztfc23kx8ewrtrtk80mnddvrf8pg4ppej55rwwwupzhfvqhmp3qa
|
|
- &master age1cmk26t9e30ls8594s8txgmf2exenydmntfxqpcd3qdqm3ru2lpnqpdkdz9
|
|
creation_rules:
|
|
- path_regex: secrets/.*\.(yaml|json|env)$
|
|
key_groups:
|
|
- age:
|
|
- *host
|
|
- *master
|