# Secret Management

This repo uses SOPS with age for secrets that must be stored in Git. The
encrypted files can be committed, while the age private key stays on the Debian
homelab server or in a deliberately scoped CI secret.

## First-Time Setup

Install the tools on the Debian host:

```bash
sudo apt-get update
sudo apt-get install -y --no-install-recommends age sops
```

Generate the local age identity:

```bash
mkdir -p ~/.config/sops/age
age-keygen -o ~/.config/sops/age/keys.txt
grep '^# public key:' ~/.config/sops/age/keys.txt
```

Copy `.sops.yaml.example` to `.sops.yaml`, replace the placeholder recipient
with the printed public key, and commit `.sops.yaml`. The public recipient is
not sensitive; the private identity in `~/.config/sops/age/keys.txt` is.

## File Naming

Use one of these suffixes for encrypted YAML:

```text
*.secret.yaml
*.enc.yaml
```

For Kubernetes `Secret` manifests, keep sensitive values under `stringData` or
`data` so the example `encrypted_regex` encrypts the right fields without
obscuring resource metadata needed by Argo CD and review diffs.

## Editing

Create or edit an encrypted file:

```bash
SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops apps/example/app.secret.yaml
```

Check the decrypted render locally without writing it to the repo:

```bash
SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d apps/example/app.secret.yaml
```

Decrypted scratch files are intentionally ignored by `.gitignore`; encrypted
files are not.