stura-infra/.sops.yaml

# SOPS configuration for StuRa HTW Dresden infrastructure
#
# This file defines which keys can decrypt which secrets.
# Add GPG public keys (.asc files) or age keys to keys/hosts/ and keys/users/
# to grant decryption access to hosts and users respectively.

keys:
  # Admin/user keys - add GPG public keys here
  # Example:
  # - &user_admin_key age1... or pgp fingerprint

  # Host keys - add host-specific keys here
  # Example:
  # - &host_proxy_key age1... or pgp fingerprint
  # - &host_git_key age1... or pgp fingerprint

# Define which keys can access which files
creation_rules:
  # Default rule: all secrets can be decrypted by admin keys
  - path_regex: secrets/.*\.yaml$
    # key_groups:
    # - pgp:
    #   - *user_admin_key
    # - age:
    #   - *user_admin_key

  # Host-specific secrets (example)
  # - path_regex: secrets/proxy/.*\.yaml$
  #   key_groups:
  #   - pgp:
  #     - *user_admin_key
  #     - *host_proxy_key

  # - path_regex: secrets/git/.*\.yaml$
  #   key_groups:
  #   - pgp:
  #     - *user_admin_key
  #     - *host_git_key