config/.sops.yaml

keys:
  - &personal_pgp_key 0x141576B17B4AE789
  - &pc_main 0DCB1C584AECEB2674BB76C179FE3B714935CDAB

creation_rules:
  # This rule applies to any file named 'secrets.yaml' directly in the 'secrets/' directory
  # or 'secrets/github-deploy-key.yaml' etc.
  - path_regex: "secrets/.*\\.yaml$"
    key_groups:
      - pgp:
          - *personal_pgp_key
          - *pc_main
        # Add host keys for decryption on the target system
        # sops-nix will automatically pick up the system's SSH host keys
        # as decryption keys if enabled in your NixOS config.
        # So you typically don't list them explicitly here unless you
        # want to restrict it to specific fingerprints, which is rare.
        # This part ensures your *personal* key can decrypt it.
add crypto 2025-07-22 20:21:21 -04:00			`keys:`
			`- &personal_pgp_key 0x141576B17B4AE789`
			`- &pc_main 0DCB1C584AECEB2674BB76C179FE3B714935CDAB`

			`creation_rules:`
			`# This rule applies to any file named 'secrets.yaml' directly in the 'secrets/' directory`
			`# or 'secrets/github-deploy-key.yaml' etc.`
			`- path_regex: "secrets/.*\\.yaml$"`
			`key_groups:`
			`- pgp:`
			`- *personal_pgp_key`
			`- *pc_main`
			`# Add host keys for decryption on the target system`
			`# sops-nix will automatically pick up the system's SSH host keys`
			`# as decryption keys if enabled in your NixOS config.`
			`# So you typically don't list them explicitly here unless you`
			`# want to restrict it to specific fingerprints, which is rare.`
			`# This part ensures your personal key can decrypt it.`