From 0788fde69dd514a9e891ac00d493eaea01b7d78a Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 5 Mar 2026 20:23:36 +0100 Subject: [PATCH] only allow sops encryption of *.sops.* files --- .sops.yaml | 60 +++++++++++++++++++++++++++--------------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index c659d62..fcb0b45 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -43,170 +43,170 @@ keys: creation_rules: ## group vars - - path_regex: inventories/chaosknoten/group_vars/all.* + - path_regex: "inventories/chaosknoten/group_vars/.+\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: *host_chaosknoten_age_keys - - path_regex: inventories/external/group_vars/all.* + - path_regex: "inventories/external/group_vars/.+\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: *host_external_age_keys - - path_regex: inventories/z9/group_vars/all.* + - path_regex: "inventories/z9/group_vars/.+\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys ## host vars # chaosknoten hosts - - path_regex: inventories/chaosknoten/host_vars/acmedns.* + - path_regex: "inventories/chaosknoten/host_vars/acmedns\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_acmedns_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/cloud.* + - path_regex: "inventories/chaosknoten/host_vars/cloud\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_cloud_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/keycloak.* + - path_regex: "inventories/chaosknoten/host_vars/keycloak\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_keycloak_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/grafana.* + - path_regex: "inventories/chaosknoten/host_vars/grafana\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_grafana_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/pad.* + - path_regex: "inventories/chaosknoten/host_vars/pad\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_pad_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/ccchoir.* + - path_regex: "inventories/chaosknoten/host_vars/ccchoir\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_ccchoir_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/pretalx.* + - path_regex: "inventories/chaosknoten/host_vars/pretalx\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_pretalx_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/netbox.* + - path_regex: "inventories/chaosknoten/host_vars/netbox\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_netbox_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/tickets.* + - path_regex: "inventories/chaosknoten/host_vars/tickets\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_tickets_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/onlyoffice.* + - path_regex: "inventories/chaosknoten/host_vars/onlyoffice\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_onlyoffice_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/zammad.* + - path_regex: "inventories/chaosknoten/host_vars/zammad\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_zammad_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/ntfy.* + - path_regex: "inventories/chaosknoten/host_vars/ntfy\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_ntfy_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/eh22-wiki.* + - path_regex: "inventories/chaosknoten/host_vars/eh22-wiki\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_eh22_wiki_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/sunders.* + - path_regex: "inventories/chaosknoten/host_vars/sunders\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_sunders_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/wiki.* + - path_regex: "inventories/chaosknoten/host_vars/wiki\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_wiki_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/renovate.* + - path_regex: "inventories/chaosknoten/host_vars/renovate\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_renovate_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/lists.* + - path_regex: "inventories/chaosknoten/host_vars/lists\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_lists_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/mumble.* + - path_regex: "inventories/chaosknoten/host_vars/mumble\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_mumble_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/public-reverse-proxy.* + - path_regex: "inventories/chaosknoten/host_vars/public-reverse-proxy\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_public_reverse_proxy_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/spaceapiccc.* + - path_regex: "inventories/chaosknoten/host_vars/spaceapiccc\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_spaceapiccc_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/mjolnir.* + - path_regex: "inventories/chaosknoten/host_vars/mjolnir\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_mjolnir_ansible_pull_age_key # external hosts - - path_regex: inventories/external/host_vars/status.* + - path_regex: "inventories/external/host_vars/status\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys age: - *host_status_ansible_pull_age_key # z9 hosts - - path_regex: inventories/z9/host_vars/dooris.* + - path_regex: "inventories/z9/host_vars/dooris\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys - - path_regex: inventories/z9/host_vars/yate.* + - path_regex: "inventories/z9/host_vars/yate\\.sops\\..+" key_groups: - pgp: *admin_gpg_keys # general - - key_groups: - - pgp: - *admin_gpg_keys + - path_regex: ".+\\.sops\\..+" + key_groups: + - pgp: *admin_gpg_keys stores: yaml: