provisioning/schemas/security/sops/defaults.ncl

# SOPS Configuration Defaults - Environment-specific encryption rules

let SopsRule = import "contracts.ncl" in

{
  # Development environment: Single Age key, encrypts all YAML files
  dev = {
    creation_rules = [
      {
        path_regex = "\.dev\.yaml$",
        age = "",  # Will be populated by vault-service
        encrypted_regex = "^(password|token|key|secret|api_key)$",
        key_version = 1,
      },
      {
        # Catchall for dev
        age = "",
        encrypted_regex = "^(password|token|key|secret|api_key)$",
        key_version = 1,
      },
    ],
  },

  # Staging environment: Single Age key, more restrictive encryption
  staging = {
    creation_rules = [
      {
        path_regex = "\.staging\.yaml$",
        age = "",
        encrypted_regex = "^(password|token|key|secret|api_key|database_url)$",
        key_version = 1,
      },
      {
        path_regex = "\.stg\.yaml$",
        age = "",
        encrypted_regex = "^(password|token|key|secret|api_key|database_url)$",
        key_version = 1,
      },
      {
        # Catchall for staging
        age = "",
        encrypted_regex = "^(password|token|key|secret|api_key|database_url)$",
        key_version = 1,
      },
    ],
  },

  # Production environment: Single Age key, strictest encryption
  prod = {
    creation_rules = [
      {
        path_regex = "\.prod\.yaml$",
        age = "",
        encrypted_regex = "^(password|token|key|secret|api_key|database_url|tls_cert|tls_key)$",
        key_version = 1,
      },
      {
        path_regex = "\.k\.prod\.yaml$",
        age = "",
        encrypted_regex = "^(password|token|key|secret|api_key|database_url|tls_cert|tls_key)$",
        key_version = 1,
      },
      {
        # Catchall for prod
        age = "",
        encrypted_regex = "^(password|token|key|secret|api_key|database_url|tls_cert|tls_key)$",
        key_version = 1,
      },
    ],
  },
}
docs: update README and CHANGELOG for nickel branch (2026-05-12) 2026-05-12 02:23:01 +01:00			`# SOPS Configuration Defaults - Environment-specific encryption rules`

			`let SopsRule = import "contracts.ncl" in`

			`{`
			`# Development environment: Single Age key, encrypts all YAML files`
			`dev = {`
			`creation_rules = [`
			`{`
			`path_regex = "\.dev\.yaml$",`
			`age = "", # Will be populated by vault-service`
			`encrypted_regex = "^(password\|token\|key\|secret\|api_key)$",`
			`key_version = 1,`
			`},`
			`{`
			`# Catchall for dev`
			`age = "",`
			`encrypted_regex = "^(password\|token\|key\|secret\|api_key)$",`
			`key_version = 1,`
			`},`
			`],`
			`},`

			`# Staging environment: Single Age key, more restrictive encryption`
			`staging = {`
			`creation_rules = [`
			`{`
			`path_regex = "\.staging\.yaml$",`
			`age = "",`
			`encrypted_regex = "^(password\|token\|key\|secret\|api_key\|database_url)$",`
			`key_version = 1,`
			`},`
			`{`
			`path_regex = "\.stg\.yaml$",`
			`age = "",`
			`encrypted_regex = "^(password\|token\|key\|secret\|api_key\|database_url)$",`
			`key_version = 1,`
			`},`
			`{`
			`# Catchall for staging`
			`age = "",`
			`encrypted_regex = "^(password\|token\|key\|secret\|api_key\|database_url)$",`
			`key_version = 1,`
			`},`
			`],`
			`},`

			`# Production environment: Single Age key, strictest encryption`
			`prod = {`
			`creation_rules = [`
			`{`
			`path_regex = "\.prod\.yaml$",`
			`age = "",`
			`encrypted_regex = "^(password\|token\|key\|secret\|api_key\|database_url\|tls_cert\|tls_key)$",`
			`key_version = 1,`
			`},`
			`{`
			`path_regex = "\.k\.prod\.yaml$",`
			`age = "",`
			`encrypted_regex = "^(password\|token\|key\|secret\|api_key\|database_url\|tls_cert\|tls_key)$",`
			`key_version = 1,`
			`},`
			`{`
			`# Catchall for prod`
			`age = "",`
			`encrypted_regex = "^(password\|token\|key\|secret\|api_key\|database_url\|tls_cert\|tls_key)$",`
			`key_version = 1,`
			`},`
			`],`
			`},`
			`}`