autonomic-bot
deb4a0fbed
Host decrypts /run/secrets/test_secret via its ssh host key (age identity); off-box master recovery recipient. sops-nix pinned to a buildGoModule-era rev for nixpkgs 24.11 compat. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
19 lines
831 B
Nix
19 lines
831 B
Nix
# sops-nix wiring (D6 infra secrets). cc-ci decrypts secrets at activation using its own
|
|
# ed25519 SSH host key as the age identity (no separate key file to manage on the box).
|
|
# Encrypted material lives in ../secrets/*.yaml, committed and readable only by recipients
|
|
# listed in /.sops.yaml (host key + off-box master recovery key).
|
|
{ ... }:
|
|
{
|
|
sops = {
|
|
defaultSopsFile = ../secrets/secrets.yaml;
|
|
# Decrypt using the host's SSH host key (converted to an age identity by sops-nix).
|
|
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
# Do not also look for a GPG key.
|
|
gnupg.sshKeyPaths = [ ];
|
|
|
|
# M0 proof secret — confirms the decrypt path works end to end. Real infra secrets
|
|
# (Drone RPC, webhook HMAC, OAuth, registry creds) are added in their milestones.
|
|
secrets.test_secret = { };
|
|
};
|
|
}
|