From 99365d06b246992ec62f27c89f66e6046537a4a7 Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 5 Mar 2026 20:23:36 +0100 Subject: [PATCH] only allow sops encryption of *.sops.* files --- .sops.yaml | 57 +++++++++++++++++++++++++++--------------------------- 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index c659d62..fb3742b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -43,168 +43,169 @@ keys: creation_rules: ## group vars - - path_regex: inventories/chaosknoten/group_vars/all.* + - path_regex: inventories/chaosknoten/group_vars/.+\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: *host_chaosknoten_age_keys - - path_regex: inventories/external/group_vars/all.* + - path_regex: inventories/external/group_vars/.+\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: *host_external_age_keys - - path_regex: inventories/z9/group_vars/all.* + - path_regex: inventories/z9/group_vars/.+\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys ## host vars # chaosknoten hosts - - path_regex: inventories/chaosknoten/host_vars/acmedns.* + - path_regex: inventories/chaosknoten/host_vars/acmedns\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_acmedns_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/cloud.* + - path_regex: inventories/chaosknoten/host_vars/cloud\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_cloud_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/keycloak.* + - path_regex: inventories/chaosknoten/host_vars/keycloak\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_keycloak_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/grafana.* + - path_regex: inventories/chaosknoten/host_vars/grafana\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_grafana_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/pad.* + - path_regex: inventories/chaosknoten/host_vars/pad\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_pad_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/ccchoir.* + - path_regex: inventories/chaosknoten/host_vars/ccchoir\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_ccchoir_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/pretalx.* + - path_regex: inventories/chaosknoten/host_vars/pretalx\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_pretalx_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/netbox.* + - path_regex: inventories/chaosknoten/host_vars/netbox\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_netbox_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/tickets.* + - path_regex: inventories/chaosknoten/host_vars/tickets\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_tickets_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/onlyoffice.* + - path_regex: inventories/chaosknoten/host_vars/onlyoffice\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_onlyoffice_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/zammad.* + - path_regex: inventories/chaosknoten/host_vars/zammad\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_zammad_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/ntfy.* + - path_regex: inventories/chaosknoten/host_vars/ntfy\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_ntfy_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/eh22-wiki.* + - path_regex: inventories/chaosknoten/host_vars/eh22-wiki\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_eh22_wiki_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/sunders.* + - path_regex: inventories/chaosknoten/host_vars/sunders\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_sunders_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/wiki.* + - path_regex: inventories/chaosknoten/host_vars/wiki\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_wiki_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/renovate.* + - path_regex: inventories/chaosknoten/host_vars/renovate\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_renovate_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/lists.* + - path_regex: inventories/chaosknoten/host_vars/lists\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_lists_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/mumble.* + - path_regex: inventories/chaosknoten/host_vars/mumble\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_mumble_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/public-reverse-proxy.* + - path_regex: inventories/chaosknoten/host_vars/public-reverse-proxy\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_public_reverse_proxy_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/spaceapiccc.* + - path_regex: inventories/chaosknoten/host_vars/spaceapiccc\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_spaceapiccc_ansible_pull_age_key - - path_regex: inventories/chaosknoten/host_vars/mjolnir.* + - path_regex: inventories/chaosknoten/host_vars/mjolnir\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_mjolnir_ansible_pull_age_key # external hosts - - path_regex: inventories/external/host_vars/status.* + - path_regex: inventories/external/host_vars/status\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys age: - *host_status_ansible_pull_age_key # z9 hosts - - path_regex: inventories/z9/host_vars/dooris.* + - path_regex: inventories/z9/host_vars/dooris\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys - - path_regex: inventories/z9/host_vars/yate.* + - path_regex: inventories/z9/host_vars/yate\\.sops\\..+ key_groups: - pgp: *admin_gpg_keys # general - - key_groups: + - path_regex: inventories/.*\\.sops\\..+ + key_groups: - pgp: *admin_gpg_keys