Padreug
7af3bce544
Wires sops-nix as a flake input and bakes the NixOS module into
configuration.nix via modules/secrets.nix. Per-host defaults live in
modules/secrets.nix:
- defaultSopsFile = ../secrets/${settings.hostName}.yaml
- defaultSopsFormat = yaml
- age.keyFile = /home/${settings.user}/.config/sops/age/keys.txt
The whole sops block is gated on `builtins.pathExists` so flake eval
succeeds before the encrypted file is created — important during the
scaffold-bootstrap phase where the consumer hasn't yet generated an
age key.
Adds .sops.yaml with a placeholder admin recipient (overwrite with
your real age public key before encrypting anything) and a
creation_rules block matching `secrets/*.yaml`.
.gitignore loosened so `secrets/*.yaml` and `secrets/README.md` can
be checked in while plaintext key material (`*.key`, `*.pem`) and
anything else under `secrets/` stays ignored. The pre-commit secret
scanner most consumers use is the second line of defense.
secrets/README.md documents the workflow at the directory level.
The substantive beginner walkthrough lands in a follow-up commit at
docs/secrets-management.md.
`nix flake check --no-build` stays green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
23 lines
365 B
Text
23 lines
365 B
Text
# Sandboxed-claude runtime config (bootstrapped per launch — not for commit)
|
|
.claude/
|
|
|
|
# Nix build outputs
|
|
result
|
|
result-*
|
|
|
|
# direnv
|
|
.direnv/
|
|
|
|
# Editor scratch
|
|
*~
|
|
.#*
|
|
*.swp
|
|
*.swo
|
|
|
|
# Secrets — track only sops-encrypted .yaml files + the README;
|
|
# block plaintext keys and any other content under secrets/
|
|
*.key
|
|
*.pem
|
|
secrets/*
|
|
!secrets/*.yaml
|
|
!secrets/README.md
|