# ============================================================================
# Agenix Secret Recipients Configuration
# ============================================================================
# This file defines which age public keys can decrypt which secrets.
# Used by the ragenix CLI tool for encrypting/editing secrets.
#
# Usage:
#   ragenix -e secrets/global/example.age     # Edit/create secret
#   ragenix -r                                # Re-key all secrets

let
  # ========== System Public Keys (Age Format) ==========
  # Convert SSH host keys to age format:
  #   ssh-to-age < secrets/{hostname}/ssh_host_ed25519_key.pub

  # Example (replace with actual age keys):
  # nix-builder = "age1...";
  # usda-dash = "age1...";

  # ========== User Public Keys (for editing secrets) ==========
  # These are personal age keys for administrators who need to edit secrets
  # Generate with: age-keygen

  # Example:
  # admin1 = "age1...";
  # admin2 = "age1...";

  # ========== Host Groups ==========
  allHosts = [
    # Add all system keys here
    # nix-builder
    # usda-dash
  ];

  admins = [
    # Add all admin user keys here
    # admin1
    # admin2
  ];

in
{
  # Global secrets (encrypted for all hosts + admins)
  # "secrets/global/example.age".publicKeys = allHosts ++ admins;

  # Host-specific secrets (encrypted for specific host + admins)
  # "secrets/nix-builder/ssh_host_ed25519_key.age".publicKeys = [ nix-builder ] ++ admins;
  # "secrets/usda-dash/ssh_host_ed25519_key.age".publicKeys = [ usda-dash ] ++ admins;

  # NOTE: Until you populate the keys above, you can create secrets with:
  #   age -r <public-key> -o secrets/path/to/secret.age <<< "secret content"
}