nix-dotfiles/.sops.yaml

keys:
  # The PGP keys in keys/
  - &admin_alice F63832C3080D6E1AC77EECF80B4245FFE305BC82
  - &admin_richie 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3

  # Generate AGE keys from SSH keys with:
  #   ssh-keygen -A
  #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
  # cspell:disable
  - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
  - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
  - &bob age13jg97cvy63fzd2ccthcwvfyyxzw5vmwun8s0afq5l4xm0mhl6pjqhne063
  - &jeeves age128ehc0ssgwnuv4r8ayfyu7r80e82xrkmv63g7h9y9q4mhk4w9dyqfymc2w
  - &jeeves-jr age1lffr5f5nz0nrenv3ekgy27e8sztsx4gfp3hfymkz77mqaa5a4gts0ncrrh
  - &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
  - &rhapsody-in-green age1c7adjulcrma0m7l5ur8efxdjzyskrqcwssfkt77a9rmma7gzss5q02pgmy
  # cspell:enable

admins: &admins
  - *admin_alice
  - *admin_richie

servers: &servers
  - *jeeves
  - *jeeves-jr
  - *palatine-hill

# add new users by executing: sops users/<user>/secrets.yaml
# then have someone already in the repo run the below
#
# update keys by executing: sops updatekeys secrets.yaml
# note: add .* before \.yaml if you'd like to use the mergetool config
creation_rules:
  - path_regex: systems/jeeves/secrets\.yaml$
    key_groups:
      - pgp: *admins
        age:
          - *jeeves

  - path_regex: systems/jeeves-jr/secrets\.yaml$
    key_groups:
      - pgp: *admins
        age:
          - *jeeves-jr

  - path_regex: users/alice/secrets.*\.yaml$
    key_groups:
      - pgp:
          - *admin_alice
        age:
          - *palatine-hill
          - *jeeves
          - *jeeves-jr
          - *artemision
          - *artemision-home

  - path_regex: systems/palatine-hill/secrets.*\.yaml$
    key_groups:
      - pgp: *admins
        age:
          - *palatine-hill

  - path_regex: systems/palatine-hill/keys/zfs-.*-key$
    key_groups:
      - pgp: *admins
        age:
          - *palatine-hill

  - path_regex: users/alice/systems/artemision/secrets.*\.yaml$
    key_groups:
      - pgp:
          - *admin_alice
        age:
          - *artemision

  - path_regex: users/richie/secrets\.yaml$
    key_groups:
      - pgp:
          - *admin_richie
        age:
          - *palatine-hill
          - *jeeves
          - *jeeves-jr
          - *rhapsody-in-green
          - *bob