generated from coulomb/repo-seed
Clarifications on sops
This commit is contained in:
17
Makefile
17
Makefile
@@ -49,7 +49,7 @@ hooks-test: ## Test that the pre-commit hook blocks plaintext secrets
|
||||
@rm -rf sso-mfa/bootstrap/secrets/_hooktest
|
||||
|
||||
# ── SOPS / age ────────────────────────────────────────────────────────────────
|
||||
sops-setup: ## Copy age key to SOPS default path (~/.config/sops/age/keys.txt)
|
||||
sops-setup: ## Legacy dev-local setup: copy age key to SOPS default path
|
||||
@mkdir -p ~/.config/sops/age
|
||||
@if [[ -f ~/.config/age/key.txt ]]; then \
|
||||
cp -n ~/.config/age/key.txt ~/.config/sops/age/keys.txt || true; \
|
||||
@@ -81,6 +81,21 @@ sops-rotate: ## Rotate SOPS recipients after updating .sops.yaml: make sops-rota
|
||||
sops --rotate --in-place $(FILE)
|
||||
@echo "✔ Recipients rotated for $(FILE)"
|
||||
|
||||
sops-custody-check: ## Validate a custody age key against keys/age.pub without keeping it on disk
|
||||
@bash sso-mfa/bootstrap/sops-custody-unlock.sh \
|
||||
--expected-recipient "$(OPERATOR_AGE_PUBKEY)" \
|
||||
--check-only
|
||||
|
||||
sops-custody-shell: ## Open a shell with a temporary SOPS_AGE_KEY_FILE from custody material
|
||||
@bash sso-mfa/bootstrap/sops-custody-unlock.sh \
|
||||
--expected-recipient "$(OPERATOR_AGE_PUBKEY)"
|
||||
|
||||
sops-custody-run: ## Run COMMAND with a temporary custody age key: make sops-custody-run COMMAND='make -C ../inter-hub recovery-drill'
|
||||
@[[ -n "$(COMMAND)" ]] || (echo "Usage: make sops-custody-run COMMAND='make -C ../inter-hub recovery-drill'"; exit 1)
|
||||
@COMMAND='$(COMMAND)' bash sso-mfa/bootstrap/sops-custody-unlock.sh \
|
||||
--expected-recipient "$(OPERATOR_AGE_PUBKEY)" \
|
||||
-- bash -lc "$$COMMAND"
|
||||
|
||||
check-secrets: ## Fail if any file under secrets/ is not SOPS-encrypted
|
||||
@echo "Checking for unencrypted files under secrets/..."
|
||||
@bad=0; \
|
||||
|
||||
Reference in New Issue
Block a user