diff --git a/SKILL.md b/SKILL.md index 79cc902..7ab01a0 100644 --- a/SKILL.md +++ b/SKILL.md @@ -157,12 +157,12 @@ Private keys stay at `~/.config/sops/age/keys.txt` (never committed). ```yaml creation_rules: - - path_regex: env\.sops\.yaml$ - encrypted_regex: "^(DB_PASSWORD|API_KEY|SECRET_.*|.*_SECRET|.*_PASSWORD|.*_TOKEN)$" - age: >- - age1abc...,age1def... + - path_regex: ".*" + encrypted_regex: "^(.*PASSWORD.*|.*SECRET.*|.*KEY.*|.*PASS.*)$" + age: age1abc... ``` +- `path_regex: ".*"` matches any file to avoid "no matching creation rules" errors - `encrypted_regex` specifies which keys to encrypt (only secrets) - Get recipient keys from `~/repos/sops-age-keys/recipients/*.pub` - Comments and non-matching keys remain unencrypted @@ -195,39 +195,48 @@ After encryption, only `DB_PASSWORD` is encrypted; comments and other values rem ### Makefile Targets ```makefile -SOURCE ?= env.sops.yaml -TARGET ?= .env - decrypt: - @sops decrypt --output-type dotenv --output $(TARGET) $(SOURCE) - @echo "Decrypted $(SOURCE) -> $(TARGET)" + @sops decrypt --input-type dotenv --output-type dotenv --output .env env.sops.yaml + @echo "Decrypted env.sops.yaml -> .env" encrypt: - @sops encrypt --input-type dotenv --output $(SOURCE) $(TARGET) - @echo "Encrypted $(TARGET) -> $(SOURCE)" + @sops encrypt --input-type dotenv --output env.sops.yaml .env + @echo "Encrypted .env -> env.sops.yaml" + +edit: + @sops --input-type dotenv --output-type dotenv env.sops.yaml clean: - @rm -f $(TARGET) - @echo "Removed $(TARGET)" + @rm -f .env + @echo "Removed .env" ``` ### Common SOPS Commands ```bash -# Decrypt to .env (for Docker Compose) -make decrypt SOURCE=environments//env.sops.yaml TARGET=environments//.env +# Copy encrypted file from environment to project root +cp environments//env.sops.yaml env.sops.yaml + +# Decrypt to .env for editing +make decrypt + +# Edit the .env file +nano .env + +# Re-encrypt after changes +make encrypt + +# Copy back to environment +cp env.sops.yaml environments//env.sops.yaml + +# Clean up +make clean # Edit secrets directly (decrypts in editor, re-encrypts on save) -sops environments//env.sops.yaml - -# Encrypt after editing .env -make encrypt SOURCE=environments//env.sops.yaml TARGET=environments//.env +make edit # Add new host to recipients (after adding to .sops.yaml) -sops updatekeys environments//env.sops.yaml - -# Clean up decrypted file -make clean TARGET=environments//.env +sops updatekeys env.sops.yaml ``` ### Starting Services with SOPS @@ -235,16 +244,16 @@ make clean TARGET=environments//.env ```bash cd /docker/config/ -# Decrypt secrets -make decrypt SOURCE=environments//env.sops.yaml TARGET=environments//.env +# Copy and decrypt secrets to project root +cp environments//env.sops.yaml env.sops.yaml +make decrypt # Start services -docker compose --env-file environments//.env \ - -f docker-compose.yml \ +docker compose -f docker-compose.yml \ -f environments//docker-compose.override..yml up -d -# Clean up (optional, secrets stay decrypted for restarts) -make clean TARGET=environments//.env +# Clean up (optional) +make clean && rm env.sops.yaml ``` ### Migrating Existing Projects