keys:
  - &personal_pgp_key 0x141576B17B4AE789
  - &pc_main 0DCB1C584AECEB2674BB76C179FE3B714935CDAB
  - &venus age1l6v7c5cp6sh6typgskwfufzkn3qw4av7r42z7lqyns6mtupytqhs2fg49u
  - &personal_age_key age16p54d6tx3mg0htkzj43q2mzpvlqj4gz63mz5qzx8mpsp5zx4xexsszdhuk

creation_rules:
  # This rule applies to any file named 'secrets.yaml' directly in the 'secrets/' directory
  # or 'secrets/github-deploy-key.yaml' etc.
  - path_regex: "secrets/vpn-config.yaml$"
    key_groups:
      - pgp:
          - *personal_pgp_key
          - *pc_main
  - path_regex: "secrets/matrix-db.yaml$"
    key_groups:
      - age:
          - *venus
          - *personal_age_key
        # Add host keys for decryption on the target system
        # sops-nix will automatically pick up the system's SSH host keys
        # as decryption keys if enabled in your NixOS config.
        # So you typically don't list them explicitly here unless you
        # want to restrict it to specific fingerprints, which is rare.
        # This part ensures your *personal* key can decrypt it.