Aner Zakobar
25 lines
934 B
YAML
25 lines
934 B
YAML
# sops configuration — controls which keys can decrypt secrets.yaml.
|
|
#
|
|
# SETUP STEPS (do this once on the Pi):
|
|
#
|
|
# 1. Install age: nix-shell -p age
|
|
# 2. Generate a key: age-keygen -o /var/lib/sops-nix/key.txt
|
|
# 3. Print the pubkey: age-keygen -y /var/lib/sops-nix/key.txt
|
|
# 4. Replace AGE-PUBLIC-KEY-PI-MAIN below with the output of step 3.
|
|
# 5. (Optional) add your own age key or GPG key as a second recipient so
|
|
# you can edit secrets from your workstation without the Pi being on.
|
|
#
|
|
# To encrypt / edit secrets.yaml:
|
|
# sops secrets/secrets.yaml
|
|
#
|
|
# sops will re-encrypt the file for all keys listed here every time you save.
|
|
|
|
creation_rules:
|
|
- path_regex: secrets/secrets\.yaml$
|
|
key_groups:
|
|
- pgp
|
|
- 076AA297579A0064
|
|
# - age:
|
|
# Pi main host key — replace with output of `age-keygen -y /var/lib/sops-nix/key.txt`
|
|
# - AGE-PUBLIC-KEY-PI-MAIN-REPLACE-ME
|