---
# config files for sops & used for encrypting keys that sops-nix decrypts.
# each machine key is derived from its generated `ssh_hosts_ed` file
# via ssh-to-age
# sops encrypts the secrets ready to decrypt with the private key of any of the below machines
# OR my 'main' key thats kept outside this repo securely.

# key-per-machine is a little more secure and a little more work than
# copying one key to each machine

keys:
  - users:
    - &jahanson age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
  - hosts:
    - &durincore age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
    - &gandalf age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
    - &legiondary age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
    - &shadowfax age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
    - &telchar age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
    - &telperion age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
    - &varda age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf


creation_rules:
  - path_regex: .*\.sops\.yaml$
    key_groups:
      - age:
        - *durincore
        - *gandalf
        - *jahanson
        - *legiondary
        - *shadowfax
        - *telchar
        - *telperion
        - *varda