docs: overhaul SOPS documentation for better structure and readability

2026-05-20 18:54:45 +02:00 · 2026-05-20 18:54:45 +02:00 · 411200884b
commit 411200884b
parent 292c626629
6 changed files with 107 additions and 35 deletions
--- a/docs/guides/sops-storing-secrets.md
+++ b/docs/guides/sops-storing-secrets.md
@ -0,0 +1,29 @@
+---
+title: "SOPS: Storing Secrets"
+summary: How to Store Secrets Using SOPS
+---
+
+# SOPS: Storing Secrets
+
+Some guidance on how to store secrets using [SOPS](../concepts-and-configurations/sops.md). For a guide on how to setup SOPS for a new host, see [SOPS: New Host](./sops-new-host.md).
+
+1. For storing host-specific secrets, open the host-specific SOPS file:
+   ```
+   sops inventories/<chaosknoten/z9/...>/host_vars/<hostname>.sops.yaml
+   ```
+   For inventory-wide secrets, open the inventories `all` group SOPS file:
+   ```
+   sops inventories/<chaosknoten/z9/...>/group_vars/all.sops.yaml
+   ```
+2. Now the secrets can be added to the opened file. Because we're using the `community.sops.sops` vars plugin, the stored secrets will then be exposed as Ansible variables.  
+   Note that SOPS only encrypts the values, not the keys.  
+   When creating entries, try to adhere to the following variable naming conventions:
+    - Prefix variable names with `secret__`, if they are intended to be used in a template file or similar, e.g.:
+      ```yaml
+      secret__netbox_secret_key: secret_value
+      ```
+    - Otherwise, if the variable is directly consumed by a role or similar, directly set the variable, e.g.:
+      ```yaml
+      netbox__db_password: secret_value
+      ```
+3. After closing the editor, the secrets are stored. In Ansible they are exposed as variables and can simply be used like any other variable.