From 562785e0d291ad3f41ec09bf98f620dc7e35b85f Mon Sep 17 00:00:00 2001
From: Trolli Schmittlauch <t.schmittlauch@orlives.de>
Date: Thu, 9 Apr 2026 17:52:38 +0200
Subject: [PATCH] sops: add thinknix key

---
 .sops.yaml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/.sops.yaml b/.sops.yaml
index 8182fab..e3007b1 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,19 +1,26 @@
 # XXX: missing: thinknix?, at some point mobile
 # XXX: consider key groups
 keys:
-  - &admin_framenix age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix
+  - &admin_framenix age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix, thinknix
   - &admin_workmac age1fft2ynhazjwtjmxsvt37qervtekktdln2968gjp4vcp5sp3jeg5segkz3x #workmac
   # Generate AGE keys from SSH keys with:
   # nix-shell -p ssh-to-age --run 'ssh some.example.com cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
   - &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
   - &machine_workmac age1rpygw5lkhc0a5hq8fuhjzy57ls7pn5u76097z6g2p4nmlctl8pvsxrztd8
+  - &machine_thinknix age1ux8jt6dt2t5xc22h0qf6nakmhchf7hvzaj9a4spevjlugpafkyzq6vrn0f #thinknix
 creation_rules:
-  # per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope
+  # per-host secrets for host specific ones
   - path_regex: hosts/framenix/secrets\.(yaml|json|env|ini)$
     key_groups:
       - age:
         - *admin_framenix
         - *machine_framenix
+  - path_regex: hosts/thinknix/secrets\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admin_framenix
+        - *machine_thinknix
+  # shared secrets
   - path_regex: common/secrets\.(yaml|json|env|ini)$
     key_groups:
       - age:
@@ -21,4 +28,5 @@ creation_rules:
         - *admin_workmac
         - *machine_workmac
         - *machine_framenix
+        - *machine_thinknix