# sops configuration — controls which keys can decrypt secrets.yaml.
#
# SETUP STEPS (do this once on the Pi):
#
#   1. Install age:        nix-shell -p age
#   2. Generate a key:     age-keygen -o /var/lib/sops-nix/key.txt
#   3. Print the pubkey:   age-keygen -y /var/lib/sops-nix/key.txt
#   4. Replace AGE-PUBLIC-KEY-PI-MAIN below with the output of step 3.
#   5. (Optional) add your own age key or GPG key as a second recipient so
#      you can edit secrets from your workstation without the Pi being on.
#
# To encrypt / edit secrets.yaml:
#   sops secrets/secrets.yaml
#
# sops will re-encrypt the file for all keys listed here every time you save.

creation_rules:
  - path_regex: secrets/secrets\.yaml$
    key_groups:
      - pgp:
          - 076AA297579A0064
        age:
          - age120j8ty7nn04l3s3kgph5ty3v9g4e52fknn8xtnmzwakq9nv2la3skgte0p