creation_rules: - path_regex: .* # The below key_group and shamir_threshold configuration # allows any single author key to decrypt secrets, # but hosts and deploy runners *must* use both keys # to decrypt. This prevents a compromised host or # runner from leaking all secrets. shamir_threshold: 2 key_groups: - age: # Author keys; to be held by contributors to the repo - 'age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00' # joey@dungeon-master - age: # Author keys (again); hacky way to give author keys a weight of 2 shares - 'age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00' # joey@dungeon-master - age: # Deploy keys; to be held by the deploy environment (e.g. Gitea Actions) - 'age193t908fjxl8ekl77p5xqnpj4xmw3y0khvyzlrw22hdzjduk6l53q05spq3' # deploy@gitea.jafner.tools - age: # Host key; to be held by hosts to which Stacks should be deployed - 'age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855' # fighter - 'age1n20krynrj75jqfy2muvhrygvzd4ee8ngamljqavsrk033zwx0ses2tdtfe' # druid - 'age1m0jpnk4t7hph5tdva3y9ap7scl8vfly9ufazr0h3cuwpcytlsulqjrt58y' # wizard