# SOPS Configuration Defaults - Environment-specific encryption rules

let SopsRule = import "contracts.ncl" in

{
  # Development environment: Single Age key, encrypts all YAML files
  dev = {
    creation_rules = [
      {
        path_regex = "\.dev\.yaml$",
        age = "",  # Will be populated by vault-service
        encrypted_regex = "^(password|token|key|secret|api_key)$",
        key_version = 1,
      },
      {
        # Catchall for dev
        age = "",
        encrypted_regex = "^(password|token|key|secret|api_key)$",
        key_version = 1,
      },
    ],
  },

  # Staging environment: Single Age key, more restrictive encryption
  staging = {
    creation_rules = [
      {
        path_regex = "\.staging\.yaml$",
        age = "",
        encrypted_regex = "^(password|token|key|secret|api_key|database_url)$",
        key_version = 1,
      },
      {
        path_regex = "\.stg\.yaml$",
        age = "",
        encrypted_regex = "^(password|token|key|secret|api_key|database_url)$",
        key_version = 1,
      },
      {
        # Catchall for staging
        age = "",
        encrypted_regex = "^(password|token|key|secret|api_key|database_url)$",
        key_version = 1,
      },
    ],
  },

  # Production environment: Single Age key, strictest encryption
  prod = {
    creation_rules = [
      {
        path_regex = "\.prod\.yaml$",
        age = "",
        encrypted_regex = "^(password|token|key|secret|api_key|database_url|tls_cert|tls_key)$",
        key_version = 1,
      },
      {
        path_regex = "\.k\.prod\.yaml$",
        age = "",
        encrypted_regex = "^(password|token|key|secret|api_key|database_url|tls_cert|tls_key)$",
        key_version = 1,
      },
      {
        # Catchall for prod
        age = "",
        encrypted_regex = "^(password|token|key|secret|api_key|database_url|tls_cert|tls_key)$",
        key_version = 1,
      },
    ],
  },
}