nixos-config/.sops.yaml

---
keys:
  - &christoph_trek age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
  - &christoph_zero age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
  - &christoph_maui age1ul99nmekam6rs9fpjka32aaxmnjq0p3a8x8drzxwtxa4g2u23anq6p2g6s
  # generate with: `ssh <machine> 'sudo cat /etc/ssh/ssh_host_ed25519_key.pub' | nix run nixpkgs#ssh-to-age`
  - &machine_tank age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
  - &machine_fort age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
  - &machine_zero age1xdd0mzt7mhr30rzvt34ygxurlvdvs53svg7lxd6843lx83vy0guqew578d

creation_rules:
  - path_regex: secrets/sops/(acme|restic)\.yaml
    key_groups:
      - age:
          - *christoph_trek
          - *christoph_zero
          - *christoph_maui
          - *machine_tank
          - *machine_fort
  - path_regex: secrets/sops/(grafana|home-assistant|navidrome|sourcehut|tank|vaultwarden)\.yaml
    key_groups:
      - age:
          - *christoph_trek
          - *christoph_zero
          - *christoph_maui
          - *machine_tank
  - path_regex: secrets/sops/(alertmanager|fort|matrix-hookshot|wireguard)\.yaml
    key_groups:
      - age:
          - *christoph_trek
          - *christoph_zero
          - *christoph_maui
          - *machine_fort
  - path_regex: secrets/sops/zero\.yaml
    key_groups:
      - age:
          - *christoph_trek
          - *christoph_zero
          - *christoph_maui
          - *machine_zero