From 72ef1ed2a398bbd40844a9ea907d6f11cf39ce32 Mon Sep 17 00:00:00 2001
From: "v.karaychentsev" <105486287+vk-aterise@users.noreply.github.com>
Date: Fri, 13 Feb 2026 09:12:31 +0300
Subject: [PATCH] update sops config. Decided to use an approach when encrypted
 file contains only secrets. This approach does not require to configure
 `encrypted_regex` stuff. .env files are going to be used for .env secrets for
 containers that can't read secrets from file. .yaml files are for secrets
 that can be converted into docker secrets (key - file name, value - file
 content) because it easy to extract such data usyn `yq` than trying to parse
 .env files.

---
 .sops.yaml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.sops.yaml b/.sops.yaml
index fa2b892..68f975b 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,6 +1,9 @@
 creation_rules:
-  - path_regex: '(^|[\\/]).*\.sops\.ya?ml$'
+  - path_regex: '(^|[\\/]).*secrets\.sops\.env$'
+    age:
+      - age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk  # me
+      - age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73  # server
+  - path_regex: '(^|[\\/]).*secrets\.sops\.ya?ml$'
     age:
       - age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk  # me
       - age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73  # server
-    encrypted_regex: '^(DB_PASSWORD|API_KEY)$'