ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues 1 Pull Requests 3 Actions 1 Packages Projects Releases Wiki Activity

add tang and clevis to palatine-hill

Browse Source
This commit is contained in:
ahuston-0
2026-05-03 13:29:39 -04:00
parent f5d0f97400
commit 24d451f825
4 changed files with 263 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/instructions/sops-secrets-readonly.instructions.md
+32
View File
@@ -0,0 +1,32 @@
---
description: "Use when working with SOPS secrets files (secrets.yaml). Never modify secrets.yaml files directly — always prompt the user to make changes using sops edit."
applyTo: "**"
---
# SOPS Secrets Files — Read-Only
Never modify any `secrets.yaml` file in this repository. These files are SOPS-encrypted and editing them directly (without `sops edit`) will corrupt the encryption and make the secrets unrecoverable.
## Rules
- **Do NOT edit `secrets.yaml` files** using file editing tools, even for renaming keys, restructuring blocks, or adding new entries.
- **Do NOT suggest patches or diffs** that target `secrets.yaml` files.
- **Always prompt the user** to make the change themselves using:
```bash
sops edit <path-to-secrets.yaml>
```
- When a new secret key is needed (e.g., for a new SOPS reference in Nix code), tell the user the exact key name and value to add, and ask them to add it via `sops edit`.
- You may **read** `secrets.yaml` files (e.g., with grep to check key names) — reading is safe. Only writing is forbidden.
## Example
Instead of editing `systems/palatine-hill/secrets.yaml` directly, say:
> Please run `sops edit systems/palatine-hill/secrets.yaml` and add the following under the `kanidm:` block:
>
> ```yaml
> kanidm:
> gitea_oidc_client_secret: "<your-generated-secret>"
> ```