home-server/talos/runbooks/sops.md

Runbook: SOPS secrets (git-encrypted)

Symptoms: sops -d fails; kubectl apply after Ansible shows no secret; noble.yml skips apply.

Checklist

1. Private key: age-key.txt at the repository root (gitignored). Create with age-keygen -o age-key.txt and add the public key to .sops.yaml (see clusters/noble/secrets/README.md).
2. Environment: export SOPS_AGE_KEY_FILE=/absolute/path/to/home-server/age-key.txt when editing or applying by hand.
3. Edit encrypted file: sops clusters/noble/secrets/<name>.secret.yaml
4. Apply one file: sops -d clusters/noble/secrets/<name>.secret.yaml | kubectl apply -f -
5. Ansible: noble_apply_sops_secrets is true by default; the platform role applies all *.yaml when age-key.txt exists.

References: clusters/noble/secrets/README.md, Mozilla SOPS.