infra/.sops.yaml at 4e7ca1ad61a18509d054e3f449d989af651147d9 - viktor/infra - Forgejo: Beyond coding. We Forge.

viktor/infra

Viktor Barzin 4e7ca1ad61 state: add Vault Transit as primary SOPS backend, age as fallback

- .sops.yaml: add hc_vault_transit_uri for transit/keys/sops-state
- state-sync: try Vault Transit first, fall back to age key on disk
- Re-encrypted all 101 state files with both Vault Transit + age
- Normal workflow: vault login → decrypt via Transit (no key files)
- Bootstrap/DR: age key at ~/.config/sops/age/keys.txt

2026-03-17 22:56:33 +00:00

6 lines

289 B

YAML

Raw Blame History

 creation_rules:
   - path_regex: '\.tfstate(\.enc)?$'
     hc_vault_transit_uri: "https://vault.viktorbarzin.me/v1/transit/keys/sops-state"
     age: >-
       age1z64h9t3acsm2rr74pz7j4846kwj5tutx9sk78jqv46y8fln4vs2sy920ce,
       age1rekkad48r2wzhwqgfetw5yugu3ln3qlht4xg3txmx55tee8cveess60r90