22 lines
1021 B
YAML
22 lines
1021 B
YAML
# SOPS creation rules for project-charlie.
|
|
#
|
|
# Only used locally on the admin laptop when encrypting the read-only
|
|
# registry PAT that gets pasted into `.gitea/workflows/deploy-stack.yml`.
|
|
# The workflow itself doesn't read this file — it ships the ciphertext
|
|
# inlined in the YAML and decrypts on the target host with
|
|
# `/etc/charlie/age.key`.
|
|
#
|
|
# Recipients = every host age pubkey (so any deploy target can decrypt)
|
|
# + the admin age pubkey (so we can re-encrypt off-host on rotation).
|
|
# Pubkeys mirrored from docs/hosts.md → "Age public keys (SOPS)".
|
|
# When a new host gets onboarded with an age key, add it here AND
|
|
# re-encrypt: `sops updatekeys secrets/registry-creds.sops.yaml` (then
|
|
# re-paste into deploy-stack.yml).
|
|
|
|
creation_rules:
|
|
- path_regex: secrets/registry-creds\.sops\.yaml$
|
|
age: >-
|
|
age19d6mc8arznnwnvtp0xrphlseuwf94p0f3pznszrtmd5wgmjpzqdq9mltvs,
|
|
age1m5ha3fd8psek5pym4spk7encjk4vmsml46eya3eymp7q9d9jre5s7xe84r,
|
|
age1xfp878l4ul5zulqqul0u60c44c5wj94cmladgc6jt5jrlmrdrezsd8twh2
|