33 lines
1.3 KiB
Markdown
33 lines
1.3 KiB
Markdown
---
|
|
description: "Use when working with SOPS secrets files (secrets.yaml). Never modify secrets.yaml files directly — always prompt the user to make changes using sops edit."
|
|
applyTo: "**"
|
|
---
|
|
|
|
# SOPS Secrets Files — Read-Only
|
|
|
|
Never modify any `secrets.yaml` file in this repository. These files are SOPS-encrypted and editing them directly (without `sops edit`) will corrupt the encryption and make the secrets unrecoverable.
|
|
|
|
## Rules
|
|
|
|
- **Do NOT edit `secrets.yaml` files** using file editing tools, even for renaming keys, restructuring blocks, or adding new entries.
|
|
- **Do NOT suggest patches or diffs** that target `secrets.yaml` files.
|
|
- **Always prompt the user** to make the change themselves using:
|
|
|
|
```bash
|
|
sops edit <path-to-secrets.yaml>
|
|
```
|
|
|
|
- When a new secret key is needed (e.g., for a new SOPS reference in Nix code), tell the user the exact key name and value to add, and ask them to add it via `sops edit`.
|
|
- You may **read** `secrets.yaml` files (e.g., with grep to check key names) — reading is safe. Only writing is forbidden.
|
|
|
|
## Example
|
|
|
|
Instead of editing `systems/palatine-hill/secrets.yaml` directly, say:
|
|
|
|
> Please run `sops edit systems/palatine-hill/secrets.yaml` and add the following under the `kanidm:` block:
|
|
>
|
|
> ```yaml
|
|
> kanidm:
|
|
> gitea_oidc_client_secret: "<your-generated-secret>"
|
|
> ```
|