# SOPS-encrypted cluster secrets (noble)

Secrets that belong in git are stored here as **Mozilla SOPS** files encrypted with [age](https://github.com/FiloSottile/age). The matching **private** key lives in **`age-key.txt`** at the repository root (gitignored — create with `age-keygen -o age-key.txt` and add the public key to **`.sops.yaml`** if you rotate keys).

**Migrating from an older cluster** that ran **Vault**, **Sealed Secrets**, or **External Secrets Operator:** uninstall those Helm releases (`helm uninstall vault -n vault`, etc.), delete their namespaces if empty, and export any secrets you still need into plain **`Secret`** YAML here, then encrypt with **`sops`** before committing.

## Prerequisites

- [sops](https://github.com/getsops/sops) and **age** on the machine that encrypts or applies secrets.

## Edit or create a Secret

```bash
export SOPS_AGE_KEY_FILE=/absolute/path/to/home-server/age-key.txt

# Create a new file from a template, then encrypt:
sops clusters/noble/secrets/example.secret.yaml

# Or edit an existing encrypted file (opens decrypted in $EDITOR):
sops clusters/noble/secrets/newt-pangolin-auth.secret.yaml
```

## Apply to the cluster

```bash
export KUBECONFIG=/absolute/path/to/home-server/talos/kubeconfig
export SOPS_AGE_KEY_FILE=/absolute/path/to/home-server/age-key.txt

sops -d clusters/noble/secrets/newt-pangolin-auth.secret.yaml | kubectl apply -f -
```

**Ansible** (`noble.yml`) runs the same decrypt-and-apply step for every `*.yaml` in this directory when **`age-key.txt`** exists and **`noble_apply_sops_secrets`** is true (see `ansible/group_vars/all.yml`).

## Files

| File | Purpose |
|------|---------|
| `newt-pangolin-auth.secret.yaml` | Pangolin tunnel credentials for [Newt](../../bootstrap/newt/README.md) (`PANGOLIN_ENDPOINT`, `NEWT_ID`, `NEWT_SECRET`). Replace placeholders and re-encrypt before relying on them. |