# sops-nix encryption rules.
#
# Recipients:
#   - laptop: the age key in $REPO/.sops-age-key.txt (gitignored).
#       To recover: keep a copy of that file in your password manager.
#   - watcher: derived from the watcher's SSH host key
#       (/etc/ssh/ssh_host_ed25519_key). If the watcher is rebuilt without
#       restoring that host key, regenerate the recipient with:
#         ssh tyro@<watcher> cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
#       and update this file accordingly.
#
# To edit an encrypted file: `sops hosts/watcher/secrets.yaml`
# To re-encrypt all files for new/changed keys: `sops updatekeys hosts/watcher/secrets.yaml`

keys:
  - &laptop  age12hw3c0qfhl2ezk4aawgax3qu3a6gt5vm300xqtzwsl5l7mj903pq4kw8pf
  - &watcher age1ck8zheqpudkc6zsgfujyf287zte3q07fa05wkqwfv3raz7snsf9sk7s8zf

creation_rules:
  - path_regex: hosts/watcher/secrets\.yaml$
    key_groups:
      - age:
          - *laptop
          - *watcher