85989ccc2a
Secrets now encrypted to three recipients: - vultr_vps: server SSH host key (primary) - admin: workstation key (local editing) - recovery: offline key at ~/.config/sops/age/recovery.key If server dies and admin key unavailable, recovery key can still decrypt secrets to bootstrap restore. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
19 lines
639 B
YAML
19 lines
639 B
YAML
keys:
|
|
# Vultr VPS jrz1 (45.77.205.49) - SSH host key converted to age
|
|
- &vultr_vps age1vuxcwvdvzl2u7w6kudqvnnf45czrnhwv9aevjq9hyjjpa409jvkqhkz32q
|
|
|
|
# Admin workstation - for local editing
|
|
- &admin age18ue40q4fw8uggdlfag7jf5nrawvfvsnv93nurschhuynus200yjsd775v3
|
|
|
|
# Offline recovery key - stored at ~/.config/sops/age/recovery.key
|
|
# Use this to decrypt secrets if server is dead and admin key unavailable
|
|
- &recovery age1kyhk90n8yvsqekr3f0094vy30uj2v40fq3dxe50pvf9rtfm9qa9stl6t3k
|
|
|
|
creation_rules:
|
|
- path_regex: secrets/secrets\.yaml$
|
|
key_groups:
|
|
- age:
|
|
- *vultr_vps
|
|
- *admin
|
|
- *recovery
|