# The .sops.yaml basically explains who can decrypt the secrets.yaml file which
# contains all the goodies. The age encrypted values below are pubkeys in an
# age keypair. You will still need to put the appropriate private key on the
# system to decrypt the secrets. Ideally you're using the ssh keys already
# setup on the server to convert to an age key that way you don't have to
# bootstrap at all.
keys:
  # make sure to run `sops updatekeys secrets.yaml` after changing the keys
  - &users:
    - &dev age14d55nfxlzm8t2yzplxpprygxmt99javafz9a8dh5llu87aww4qlswf6g0c
  - &hosts:
    - &dev-vm age1rjtqzmywfr3zuzz0cn8eqnwp3x8ypzya9gcv6kvtplhudar5eayqq83ey4
    - &crayon age1pnu4tkdxfcnefntdw262k4m8wuv3qe2894s4e6w5j8yshg8vlu6q9uq5tv
    - &blobercraft
    - &blobercraft
    - &blobercraft 
    - &blobercraft 
    - &blobercraft 
    # new-host marker
creation_rules:
  - path_regex: secrets.yaml$
    key_groups:
      - age:
        - *dev
        - *dev-vm
        - *crayon
        - *blobercraft
        - *blobercraft
        - *blobercraft
        - *blobercraft
        - *blobercraft
        # new-host ptr marker