From 0bb36511bf58877d0ff8e4dd3a3b1d031359365b Mon Sep 17 00:00:00 2001 From: Bill Ballou Date: Mon, 5 Jan 2026 14:43:56 -0500 Subject: [PATCH] Switch to encrypted_regex approach (preserves comments) --- SKILL.md | 38 ++++++++++++++++++++++---------------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/SKILL.md b/SKILL.md index a800513..79cc902 100644 --- a/SKILL.md +++ b/SKILL.md @@ -158,33 +158,39 @@ Private keys stay at `~/.config/sops/age/keys.txt` (never committed). ```yaml creation_rules: - path_regex: env\.sops\.yaml$ - unencrypted_regex: "_unencrypted$" + encrypted_regex: "^(DB_PASSWORD|API_KEY|SECRET_.*|.*_SECRET|.*_PASSWORD|.*_TOKEN)$" age: >- age1abc...,age1def... ``` -Get recipient keys from `~/repos/sops-age-keys/recipients/*.pub`. +- `encrypted_regex` specifies which keys to encrypt (only secrets) +- Get recipient keys from `~/repos/sops-age-keys/recipients/*.pub` +- Comments and non-matching keys remain unencrypted ### env.sops.yaml Format -Non-secret values use `_unencrypted` suffix (remain readable in git): +Use normal variable names. Only keys matching `encrypted_regex` are encrypted: ```yaml -# Non-secrets (readable in git) -UID_unencrypted: "1000" -GID_unencrypted: "1000" -UPLOAD_LOCATION_unencrypted: "/mnt/user/pictures" -DB_DATA_LOCATION_unencrypted: "/mnt/user/appdata/immich" -APP_PORT_unencrypted: "2283" -DB_HOSTNAME_unencrypted: "database" -DB_USERNAME_unencrypted: "postgres" -DB_DATABASE_NAME_unencrypted: "immich" +# Permissions +UID: "1000" +GID: "1000" -# Secrets (encrypted by SOPS) -DB_PASSWORD: "actual_secret_value" +# Paths +UPLOAD_LOCATION: /mnt/user/pictures +DB_DATA_LOCATION: /mnt/user/appdata/immich + +# Ports +APP_PORT: "2283" + +# Database +DB_HOSTNAME: database +DB_USERNAME: postgres +DB_DATABASE_NAME: immich +DB_PASSWORD: secret_value_here ``` -After encryption, only `DB_PASSWORD` value is encrypted; `_unencrypted` values remain readable. +After encryption, only `DB_PASSWORD` is encrypted; comments and other values remain readable. ### Makefile Targets @@ -193,7 +199,7 @@ SOURCE ?= env.sops.yaml TARGET ?= .env decrypt: - @sops decrypt --output-type dotenv $(SOURCE) | sed 's/_unencrypted=/=/g' > $(TARGET) + @sops decrypt --output-type dotenv --output $(TARGET) $(SOURCE) @echo "Decrypted $(SOURCE) -> $(TARGET)" encrypt: