nixConfig/.sops.yaml

keys:
  - &nerf age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
  - &gonne age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
  - &daniel age1mmpdvzy6d23qyhrl55jtv3c25pus2wwfplx9tujmqps2xsreuv8qwc6gv5

  - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
  - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
  - &nyarlathotep age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a

creation_rules:
  - path_regex: nixos/machines/nyarlathotep/.*
    key_groups:
      - age:
        - *nerf
        - *gonne
        - *daniel
        - *nyarlathotep
  - path_regex: nixos/machines/bragi/.*
    key_groups:
      - age:
        - *nerf
        - *gonne
        - *daniel
        - *bragi
  - path_regex: nixos/machines/lobon/.*
    key_groups:
      - age:
        - *nerf
        - *gonne
        - *daniel
        - *lobon
  # this is the catchall clause if nothing above machtes. Encrypt to users but not
  # to machines
  - key_groups:
      - age:
        - *nerf
        - *gonne
        - *daniel