37 lines
1.5 KiB
Text
37 lines
1.5 KiB
Text
|
# SOPS Configuration Schema - Type contracts and validation
|
||
|
|
|
||
|
|
{
|
||
|
|
SopsRule = {
|
||
|
|
# Regex pattern to match file paths for encryption
|
||
|
|
path_regex | std.string | doc "File path regex pattern (e.g., '\\.prod\\.yaml$')"
|
||
|
|
| optional,
|
||
|
|
# Age public key for encryption
|
||
|
|
age | std.string | doc "Age public key (x25519 format: age1...)"
|
||
|
|
| required,
|
||
|
|
# Regex to match fields that should be encrypted within matched files
|
||
|
|
encrypted_regex | std.string | doc "Field name regex for encryption (e.g., '^(password|token)$')"
|
||
|
|
| optional,
|
||
|
|
# Key version for tracking key rotation
|
||
|
|
key_version | std.number | doc "Version number for key rotation tracking"
|
||
|
|
| optional,
|
||
|
|
},
|
||
|
|
|
||
|
|
SopsConfig = {
|
||
|
|
# Creation rules define which Age key encrypts which files
|
||
|
|
creation_rules | std.array SopsRule | doc "Array of encryption rules, evaluated sequentially"
|
||
|
|
| required,
|
||
|
|
# Decryption rules (optional, for post-rotation compatibility)
|
||
|
|
key_groups | std.array (std.array SopsRule) | doc "Array of key groups for backward compatibility with rotated keys"
|
||
|
|
| optional,
|
||
|
|
},
|
||
|
|
|
||
|
|
SopsEnvironmentConfig = {
|
||
|
|
# Dev environment configuration
|
||
|
|
dev | SopsConfig | doc "Development environment SOPS rules" | optional,
|
||
|
|
# Staging environment configuration
|
||
|
|
staging | SopsConfig | doc "Staging environment SOPS rules" | optional,
|
||
|
|
# Production environment configuration
|
||
|
|
prod | SopsConfig | doc "Production environment SOPS rules" | optional,
|
||
|
|
},
|
||
|
|
}
|