sops-nix: basic key setup

2026-04-05 00:16:33 +02:00 · 2026-04-05 00:16:33 +02:00 · 32822bcc3a
commit 32822bcc3a
parent 4b712b6b67
3 changed files with 42 additions and 0 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,14 @@
+# XXX: missing: macbook, thinknix?, at some point mobile
+keys:
+  - &admins age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix
+  # Generate AGE keys from SSH keys with:
+  # nix-shell -p ssh-to-age --run 'ssh some.example.com /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+  - &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
+creation_rules:
+  # per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope
+  - path_regex: hosts/framenix/secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admins
+        - *machine_framenix
+