provisioning/schemas/security/main.ncl

# Security Module - Unified secrets and encryption management
# Integrates SOPS, Age keys, and vault-service for GitOps-native secret management

let sops = import "sops/main.ncl" in

{
  # SOPS encryption configuration
  sops = sops,

  # Security configuration for a deployment
  SecurityConfig = {
    # Which encryption system to use (sops, sealed-secrets, etc.)
    encryption_system | std.string | doc "Encryption system: 'sops' or 'sealed-secrets'" = "sops",

    # Environment-specific SOPS configuration
    sops_config | sops.SopsEnvironmentConfig | doc "SOPS configuration per environment"
      | optional,

    # Environment: dev, staging, prod
    environment | std.string | doc "Deployment environment" = "dev",

    # Age key version for tracking rotations
    age_key_version | std.number | doc "Age key version (tracks rotations)" = 1,

    # Vault service configuration
    vault_service_url | std.string | doc "Vault-service endpoint URL"
      | optional = null,

    # Key rotation schedule (optional)
    key_rotation_interval_days | std.number | doc "Days between key rotations"
      | optional,

    # Audit logging configuration
    audit_logging | std.bool | doc "Enable audit logging for secret access" = true,
  },

  # Initialize security for an environment
  init = fun environment =>
    {
      encryption_system = "sops",
      environment = environment,
      age_key_version = 1,
      audit_logging = true,
    },

  # Helper to get SOPS rules for an environment
  get_sops_rules = fun environment =>
    sops.generate_sops_yaml environment,

  # Helper to generate .sops.yaml content for deployment
  generate_sops_file = fun environment age_public_key =>
    sops.generate_file environment age_public_key,

  # Validate security configuration
  validate = fun config =>
    config.encryption_system == "sops" &&
    config.environment in ["dev", "staging", "prod"] &&
    config.age_key_version >= 1,
}
docs: update README and CHANGELOG for nickel branch (2026-05-12) 2026-05-12 02:23:01 +01:00			`# Security Module - Unified secrets and encryption management`
			`# Integrates SOPS, Age keys, and vault-service for GitOps-native secret management`

			`let sops = import "sops/main.ncl" in`

			`{`
			`# SOPS encryption configuration`
			`sops = sops,`

			`# Security configuration for a deployment`
			`SecurityConfig = {`
			`# Which encryption system to use (sops, sealed-secrets, etc.)`
			`encryption_system \| std.string \| doc "Encryption system: 'sops' or 'sealed-secrets'" = "sops",`

			`# Environment-specific SOPS configuration`
			`sops_config \| sops.SopsEnvironmentConfig \| doc "SOPS configuration per environment"`
			`\| optional,`

			`# Environment: dev, staging, prod`
			`environment \| std.string \| doc "Deployment environment" = "dev",`

			`# Age key version for tracking rotations`
			`age_key_version \| std.number \| doc "Age key version (tracks rotations)" = 1,`

			`# Vault service configuration`
			`vault_service_url \| std.string \| doc "Vault-service endpoint URL"`
			`\| optional = null,`

			`# Key rotation schedule (optional)`
			`key_rotation_interval_days \| std.number \| doc "Days between key rotations"`
			`\| optional,`

			`# Audit logging configuration`
			`audit_logging \| std.bool \| doc "Enable audit logging for secret access" = true,`
			`},`

			`# Initialize security for an environment`
			`init = fun environment =>`
			`{`
			`encryption_system = "sops",`
			`environment = environment,`
			`age_key_version = 1,`
			`audit_logging = true,`
			`},`

			`# Helper to get SOPS rules for an environment`
			`get_sops_rules = fun environment =>`
			`sops.generate_sops_yaml environment,`

			`# Helper to generate .sops.yaml content for deployment`
			`generate_sops_file = fun environment age_public_key =>`
			`sops.generate_file environment age_public_key,`

			`# Validate security configuration`
			`validate = fun config =>`
			`config.encryption_system == "sops" &&`
			`config.environment in ["dev", "staging", "prod"] &&`
			`config.age_key_version >= 1,`
			`}`