Files

22 lines
1021 B
YAML

# SOPS creation rules for project-charlie.
#
# Only used locally on the admin laptop when encrypting the read-only
# registry PAT that gets pasted into `.gitea/workflows/deploy-stack.yml`.
# The workflow itself doesn't read this file — it ships the ciphertext
# inlined in the YAML and decrypts on the target host with
# `/etc/charlie/age.key`.
#
# Recipients = every host age pubkey (so any deploy target can decrypt)
# + the admin age pubkey (so we can re-encrypt off-host on rotation).
# Pubkeys mirrored from docs/hosts.md → "Age public keys (SOPS)".
# When a new host gets onboarded with an age key, add it here AND
# re-encrypt: `sops updatekeys secrets/registry-creds.sops.yaml` (then
# re-paste into deploy-stack.yml).
creation_rules:
- path_regex: secrets/registry-creds\.sops\.yaml$
age: >-
age19d6mc8arznnwnvtp0xrphlseuwf94p0f3pznszrtmd5wgmjpzqdq9mltvs,
age1m5ha3fd8psek5pym4spk7encjk4vmsml46eya3eymp7q9d9jre5s7xe84r,
age1xfp878l4ul5zulqqul0u60c44c5wj94cmladgc6jt5jrlmrdrezsd8twh2