# sops creation rules — see https://github.com/getsops/sops
#
# Each rule routes a path-regex to one or more age recipients (public keys).
# The matching age PRIVATE key lives outside the repo at /etc/azaion/age.key
# on the deploy host and is consumed by `scripts/deploy.sh` via
# `SOPS_AGE_KEY_FILE`.
#
# Onboarding a new operator:
#   1. They generate `age-keygen -o ~/.config/sops/age/keys.txt`
#   2. Their public key is appended below as an additional age recipient on the
#      relevant rule.
#   3. Run `sops updatekeys secrets/<env>.env` to re-encrypt the file with the
#      new recipient list.
#   4. Commit the updated `.sops.yaml` AND the updated encrypted file in the
#      same commit. NEVER commit the private key.
#
# Cycle 1 placeholder: the recipient values below are the literal string
# `REPLACE_WITH_AGE_PUBLIC_KEY` so the file is reviewable but no real key is
# leaked. The first deploy MUST replace these before encrypting any real
# secret. The deploy script will fail loudly if it cannot decrypt.

creation_rules:
  - path_regex: secrets/staging\.env$
    age:
      - REPLACE_WITH_AGE_PUBLIC_KEY_FOR_STAGING
  - path_regex: secrets/production\.env$
    age:
      - REPLACE_WITH_AGE_PUBLIC_KEY_FOR_PRODUCTION