# Secrets configuration for agenix
#
# This file defines which public keys can decrypt each secret.
# Secrets are encrypted with `agenix -e <secret>.age`
#
# To set up:
# 1. Get your user's SSH public key: cat ~/.ssh/id_ed25519.pub
# 2. Get the host's SSH public key: ssh-keyscan localhost 2>/dev/null | grep ed25519
# 3. Add keys below and run: agenix -e <secret>.age

let
  # User SSH public keys (for encrypting secrets on your machine)
  # Example: user = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... user@host";

  # Host SSH public keys (for decrypting on target machines)
  # Get with: ssh-keyscan <hostname> | grep ed25519
  # Example: host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA...";

  # Define your keys here:
  # user = "ssh-ed25519 AAAAC3...";
  # host = "ssh-ed25519 AAAAC3...";

  # For testing/example, use an empty list (secrets won't be encryptable)
  allKeys = [
    # user
    # host
  ];
in {
  # Example secrets - uncomment and add keys above to use:

  # WiFi password for specific network
  # "wifi-home.age".publicKeys = allKeys;

  # API keys
  # "github-token.age".publicKeys = allKeys;
  # "openai-api-key.age".publicKeys = allKeys;

  # Application secrets
  # "syncthing-key.age".publicKeys = allKeys;
  # "mullvad-account.age".publicKeys = allKeys;
}