# SOPS configuration for secrets management
# https://github.com/mozilla/sops

keys:
  - &users |
    - -----BEGIN AGE PUBLIC KEY-----
      Your-Age-Public-Key-Here
      -----END AGE PUBLIC KEY-----

  # SSH key-based decryption (recommended for machines)
  - &machines |
    - -----BEGIN AGE PUBLIC KEY-----
      Laptop-Host-Key-Public-Key-Here
      -----END AGE PUBLIC KEY-----

creation_rules:
  # Production secrets
  - path_regex: ^secrets\.yaml$
    key_groups:
      - age:
          - *users
          - *machines

# For first-time setup:
# 1. Generate your age keypair:
#    age-keygen -o -f ~/.config/sops/age/keys.txt
#
# 2. Extract your public key:
#    age-keygen -y ~/.config/sops/age/keys.txt
#
# 3. Replace "Your-Age-Public-Key-Here" with the output
#
# 4. For machine-specific keys, use SSH:
#    ssh-keyscan hostname | ssh-to-age -private-key-file ~/.config/sops/age/keys.txt