infra/.sops.yaml

# This example uses YAML anchors which allows reuse of multiple keys
# without having to repeat yourself.
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
# for a more complex example.

# use `ssh-keyscan <IP> | ssh-to-age` to get the age key for a remote machine
# use `for file in $(grep -lr "sops:") secrets; do sops updatekeys -y $file; done` for updating
keys:
  - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
  - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
  - &steveej-x13s age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6
  - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
  - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8

  - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
  - &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
  - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
  # - &router0-dmz0 age1jetxwpmd9hc4crkjtrdle2qxn9dlq7vcmqhfslv0vlxctrk4u3xq8hcvkz
  - &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86
  - &sj-bm-hostkey0  age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44
creation_rules:
  - path_regex: ^(.+/|)secrets/[^/]+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *steveej-t14
      - *steveej-x13s
      - *elias-e525
      - *justyna-p300

      - *srv0-dmz0
      - *router0-dmz0

      - *sj-vps-htz0
      - *sj-srv1
      - *sj-bm-hostkey0
  - path_regex: ^secrets/steveej-t14/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *steveej-t14
  - path_regex: ^secrets/desktop/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *steveej-t14
      - *steveej-x13s
  - path_regex: ^secrets/servers/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *sj-vps-htz0
      - *sj-srv1
  - path_regex: ^nix/os/containers/.+_secrets.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *sj-vps-htz0
      - *sj-srv1
  - path_regex: ^secrets/holochain-infra/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *srv0-dmz0
  - path_regex: ^secrets/router0-dmz0/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *router0-dmz0
  - path_regex: ^secrets/sj-vps-htz0/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *sj-vps-htz0
  - path_regex: ^secrets/sj-srv1/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *sj-srv1
  - path_regex: ^secrets/sj-bm-hostkey0/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *sj-bm-hostkey0
  - path_regex: ^secrets/steveej-x13s/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *steveej-x13s
  - path_regex: ^secrets/work-holo/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *steveej-x13s