get going with sops agian, not that hard, just need to set up my keys properly...

.sops.yml

@@ -1,7 +1,6 @@
 keys:
-  - &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
   - home:
-    - &chris age
+    - &chris age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
   - system:
     - &aule age
     - &mandos age
@@ -10,46 +9,44 @@ keys:
     - &orome age
     - &tulkas age
     - &varda age
-    - &yavanna age
+    - &yavanna age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
 
 creation_rules:
-  - path_regex: secrets/secrets.ya?ml$
-    key_groups:
-      - age:
-          - *primary
-
   #===================================================================
   # HOSTS
   #===================================================================
-  - path_regex: systems/x64_86-linux/aule/secrets.yaml$
+  - path_regex: systems/x86_64-linux/aule/secrets.yaml$
     age: *aule
 
-  - path_regex: systems/x64_86-linux/mandos/secrets.yaml$
+  - path_regex: systems/x86_64-linux/mandos/secrets.yaml$
     age: *mandos
 
-  - path_regex: systems/x64_86-linux/manwe/secrets.yaml$
-    age: *manwe
+  - path_regex: systems/x86_64-linux/manwe/secrets.yaml$
+    key_groups:
+      - age: 
+        - *manwe
+        - *yavanna
 
-  - path_regex: systems/x64_86-linux/melkor/secrets.yaml$
+  - path_regex: systems/x86_64-linux/melkor/secrets.yaml$
     age: *melkor
 
-  - path_regex: systems/x64_86-linux/orome/secrets.yaml$
+  - path_regex: systems/x86_64-linux/orome/secrets.yaml$
     age: *orome
 
-  - path_regex: systems/x64_86-linux/tulkas/secrets.yaml$
+  - path_regex: systems/x86_64-linux/tulkas/secrets.yaml$
     age: *tulkas
 
-  - path_regex: systems/x64_86-linux/varda/secrets.yaml$
+  - path_regex: systems/x86_64-linux/varda/secrets.yaml$
     age: *varda
 
-  - path_regex: systems/x64_86-linux/yavanna/secrets.yaml$
+  - path_regex: systems/x86_64-linux/yavanna/secrets.yaml$
     age: *yavanna
 
   #===================================================================
   # USERS
   #===================================================================
-  - path_regex: homes/x64_86-linux/chris@\w+/secrets.ya?ml$
-    age: chris
+  - path_regex: homes/x86_64-linux/chris@\w+/secrets.yaml$
+    age: *chris
           
           
           

homes/x86_64-linux/chris@manwe/secrets.yaml

@@ -0,0 +1,21 @@
+user_level_secrets: ENC[AES256_GCM,data:TNT+via+r4bpgROz,iv:cVO6/r4Aovr5uJFhU87mE5XwRJ518y4OJdHo4m92ahM=,tag:jYInD+euh7k1zSnMRppI5Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYVRQTEVSMWM3WXY3eTdW
+            ZkUwSnNidlJwWGVETURpNUJRRUllYXo4WjNvCmxmN21qVzNFV3N4UVR6WEV1am1W
+            eW1KTk9HVDluek1BUnBmSGI3Y2ZqaDQKLS0tIHlMYldYMTVORVNWbEgrWlBSanRM
+            bUZiMHlOU3pxYUhQSTREb0l4TmFlOEkKiasV2H481aJzAvEAvyeWqGYDOW+WKRFX
+            yyocZDo0o1lHz/gNXoC0/ujU+O3rSXdsy6Qdz6Rm+xeFUfe4KoD4bg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-08-11T13:21:38Z"
+    mac: ENC[AES256_GCM,data:kfMcZuYuQqxxfqtyfH7DltSkq8YNz+vroB+ZQKTIpCNC/W6vJP1o23/xLRzdnEgnnH5GfgZQFAK8Am00/bUD2BgEPyXxXNf1lG70ocFbRM9htii92BFfHgfi25zlEqCO7yrudm1HEJyYrFbZnT63H6u1OgWSC38CzEZTBsCE0kU=,iv:feWGBau48s2GSvZjnKPfP2z46SBuHbh//4zzcLv+MTY=,tag:D86akwawLxobhEu2AvBFKg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

justfile

@@ -18,4 +18,7 @@ install profile host:
 
 [doc('builds the configuration for the host')]
 build host:
-    nh os build . -H {{host}}
+    nh os build . -H {{host}}
+
+edit-secrets target:
+    sops --config "{{justfile_directory()}}/.sops.yml" edit "{{justfile_directory()}}/{{ if target =~ ".+@.+" { "homes" } else { "systems" } }}/x86_64-linux/{{target}}/secrets.yaml"

systems/x86_64-linux/manwe/secrets.yaml

@@ -1,30 +1,31 @@
-#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment]
-example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str]
-#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment]
-#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment]
-example:
-    my_subdir:
-        my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str]
+zitadel:
+    masterKey: ENC[AES256_GCM,data:iSeZOloWLrdP8S+ac7ubIcv9TF3Sm8Ni,iv:8v3/ratFQ5vq2rbZOUMKfPhVTA9uQY2eFQU4IR8s3VU=,tag:9y90aDQ2PfFT//X2i2YvvA==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age:
-      - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
-        enc: |
-          -----BEGIN AGE ENCRYPTED FILE-----
-          YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR
-          ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz
-          YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB
-          dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR
-          Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q==
-          -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-09T11:37:49Z"
-    mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str]
+        - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4R0UyWmx5L3hCbGhQVXI0
+            NmpkMThPVlgrRHZZMnFrNTAwbzVTY1F6NEVVCjJaRHdhbHV6R1RJM2JIQzc3dkNu
+            a01FYlM3b1dXbmxGN2tWU3FMdXMveG8KLS0tIG1SSjNXdXZNN2ZyQ2UyZ0pIZXJJ
+            NmpMS2oySFE1S1RER3J1RGl4MlRQK00Ks+PcxcHmygYz+a+d0ZrzrdUpTQ50NYkA
+            aDFbtRtukn9e7i3bGUyD4nisSvs4YjfoQxR/pC8hs4k3f5V2jwDh2w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwaTN4clFoWDNwU2lpaHBn
+            M2pVeU5oM0JRNmp6NEJjQ3BHeWlzeSs3bTI0CnBocngvbzZQUXBsMG9Oc2J6dlBT
+            MjdtaFdmOHg5ZmZmSkViWGJFYThQYXcKLS0tIFRNd2JiVlFTREtDMTdzR2V0SlVo
+            Q0d5ZDVDM05LdFp4UnB4dFRPUm5vU0UKR/MAONEWaT6XXyPB1IrSIKqW5PZNIbuB
+            n7QX3DJIzlajtmq+82/wPFPTBkLvSSjV5FKL5ErMwTDndcIn+NlOhQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-08-11T13:11:00Z"
+    mac: ENC[AES256_GCM,data:P34YsR/Rvc3q4Os5n9hxonJLCXwifMRnKOCM59h5MRMT/aqjl+QlBX+oUADsqDSrhUscQb3N/UlpFeOT6qg+FmJbT/mYMH6v1xK16VD0M7VWydXpmjDu5If+O89lgDHsiEOGDgeR04jkiaY0yzT9U8l9CND5fMvF3I9o5Z1SZQk=,iv:NgUD8gB2bQa5vh0nb0Ngqp5dn0yqskHudWo8xoVjM4Q=,tag:5oTcnailDCHeMvMLz63e1w==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4
-
-zitadel:
-  masterKey: thisWillBeAnEncryptedValueInTheFuture