Clarifications on sops

This commit is contained in:
2026-06-14 19:51:05 +02:00
parent 443b585010
commit 3ab326b597
5 changed files with 320 additions and 1 deletions

View File

@@ -49,7 +49,7 @@ hooks-test: ## Test that the pre-commit hook blocks plaintext secrets
@rm -rf sso-mfa/bootstrap/secrets/_hooktest
# ── SOPS / age ────────────────────────────────────────────────────────────────
sops-setup: ## Copy age key to SOPS default path (~/.config/sops/age/keys.txt)
sops-setup: ## Legacy dev-local setup: copy age key to SOPS default path
@mkdir -p ~/.config/sops/age
@if [[ -f ~/.config/age/key.txt ]]; then \
cp -n ~/.config/age/key.txt ~/.config/sops/age/keys.txt || true; \
@@ -81,6 +81,21 @@ sops-rotate: ## Rotate SOPS recipients after updating .sops.yaml: make sops-rota
sops --rotate --in-place $(FILE)
@echo "✔ Recipients rotated for $(FILE)"
sops-custody-check: ## Validate a custody age key against keys/age.pub without keeping it on disk
@bash sso-mfa/bootstrap/sops-custody-unlock.sh \
--expected-recipient "$(OPERATOR_AGE_PUBKEY)" \
--check-only
sops-custody-shell: ## Open a shell with a temporary SOPS_AGE_KEY_FILE from custody material
@bash sso-mfa/bootstrap/sops-custody-unlock.sh \
--expected-recipient "$(OPERATOR_AGE_PUBKEY)"
sops-custody-run: ## Run COMMAND with a temporary custody age key: make sops-custody-run COMMAND='make -C ../inter-hub recovery-drill'
@[[ -n "$(COMMAND)" ]] || (echo "Usage: make sops-custody-run COMMAND='make -C ../inter-hub recovery-drill'"; exit 1)
@COMMAND='$(COMMAND)' bash sso-mfa/bootstrap/sops-custody-unlock.sh \
--expected-recipient "$(OPERATOR_AGE_PUBKEY)" \
-- bash -lc "$$COMMAND"
check-secrets: ## Fail if any file under secrets/ is not SOPS-encrypted
@echo "Checking for unencrypted files under secrets/..."
@bad=0; \