nix-configs/sops.nix

{
  sops,
  instanceConfigs,
  writeScriptBin,
  writeText,
  lib,
  ...
}:
with lib;
let
  adminKeys = [
    "0D98D5964AC8BB1CA034CE4EC456133700066642" # xyno main gpg key
  ];
  keysPerHost = (mapAttrs (n: v: (toList v.sopsKey)) (
    filterAttrs (n: v: v ? sopsKey) instanceConfigs
  ));
  hostKeys = flatten (attrValues keysPerHost);

  sopsCfg = {
    keys = adminKeys ++ hostKeys;
    creation_rules = [
      {
        path_regex = "secrets/[^/]+\.(yaml|json|env|ini)$";
        key_groups = [ { pgp = adminKeys ++ hostKeys; } ];
      }
    ]
    ++ (mapAttrsToList (n: v: {
      # path_regex = "instances/${n}/secrets/[^/]+\.(yaml|json|env|ini)$";
      path_regex = "instances/${n}/secrets/[^/]+\.(yaml|json|env|ini)$";
      key_groups = [ { pgp = adminKeys ++ v; } ];

    }) keysPerHost);
  };
  sopsCfgFile = writeText ".sops.yaml" (builtins.toJSON sopsCfg);

in sopsCfgFile