# ───── Path B: multi-tenant ─────
# Multiple clients share the vault; their credentials are encrypted to disjoint
# recipient sets. Paste inside s.make_project { ... }. Adapt groups + rules.

  sops = {
    enabled            = true,
    vault_id           = "<your-slug>",
    vault_backend      = 'restic,
    registry_endpoint  = "<your-zot-host>",

    actor_key_bindings = {
      developer = "developer",
      ci        = "cdci",
      agent     = "ontoref",
      admin     = "admin",
    },

    # Recipient groups — each is a list of age public keys. Use empty [] for
    # placeholder groups you populate later.
    recipient_groups = {
      admin   = ["age1admin..."],
      ops     = ["age1ops..."],
      clientA = ["age1clientA-lead..."],
      clientB = ["age1clientB-lead..."],
    },

    # Path-to-recipient-set rules. Each *.sops.yaml created in the vault is
    # encrypted with the union of its rule's groups. Order matters — first match wins.
    recipient_rules = [
      { path = "access\\.sops\\.yaml$",                   groups = ["admin", "ops"] },
      { path = "registry/clientA-.*\\.sops\\.yaml$",      groups = ["admin", "clientA"] },
      { path = "registry/clientB-.*\\.sops\\.yaml$",      groups = ["admin", "clientB"] },
    ],
  },