1.3 KiB
description, applyTo
| description | applyTo |
|---|---|
| Use when working with SOPS secrets files (secrets.yaml). Never modify secrets.yaml files directly — always prompt the user to make changes using sops edit. | ** |
SOPS Secrets Files — Read-Only
Never modify any secrets.yaml file in this repository. These files are SOPS-encrypted and editing them directly (without sops edit) will corrupt the encryption and make the secrets unrecoverable.
Rules
-
Do NOT edit
secrets.yamlfiles using file editing tools, even for renaming keys, restructuring blocks, or adding new entries. -
Do NOT suggest patches or diffs that target
secrets.yamlfiles. -
Always prompt the user to make the change themselves using:
sops edit <path-to-secrets.yaml> -
When a new secret key is needed (e.g., for a new SOPS reference in Nix code), tell the user the exact key name and value to add, and ask them to add it via
sops edit. -
You may read
secrets.yamlfiles (e.g., with grep to check key names) — reading is safe. Only writing is forbidden.
Example
Instead of editing systems/palatine-hill/secrets.yaml directly, say:
Please run
sops edit systems/palatine-hill/secrets.yamland add the following under thekanidm:block:kanidm: gitea_oidc_client_secret: "<your-generated-secret>"