Explain need to re-encrypt after adding a host

2026-01-27 09:47:01 +01:00 · 2026-01-27 09:47:01 +01:00 · 4f0c4bb276
commit 4f0c4bb276
parent 3abc375984
2 changed files with 6 additions and 4 deletions
--- a/docs/create-new-web-service-vm.md
+++ b/docs/create-new-web-service-vm.md
@ -29,6 +29,7 @@ As the first step, we need to make the host known to Ansible.
 1. In `.sops.yaml`, add an entry for the host. Follow the other entries there.
   1. `keys.hosts.chaosknoten.age` needs an age public key (must be generated; the private key gets added later in the host-specific YAML)
   2. `creation_rules` needs an entry for the host, referencing the age key.
+   3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`
 2. In `inventories/chaosknoten/hosts.yaml`:
   1. Configure basic connection info:
        ```yaml
@ -47,7 +48,7 @@ As the first step, we need to make the host known to Ansible.
          - `docker_compose_hosts`
          - `nginx_hosts`
          - `certbot_hosts`.
- 3. In the directorry `inventories/chaosknoten/host_var/`:
+ 3. In the directory `inventories/chaosknoten/host_var/`:
    1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration.
    2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc.
       * Add an entry `ansible_pull__age_private_key` with the age private key you generated above.
--- a/docs/setting_up_secrets_using_sops_for_a_new_host.md
+++ b/docs/setting_up_secrets_using_sops_for_a_new_host.md
@ -10,20 +10,21 @@ Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted se
 2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
   It should probably hold all admin keys plus the host entry.  
   You can use existing creation rules as a reference.
-3. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
+3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`
+4. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
   The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule.  
   This can be accomplished with a command similar to this:
   ```
   sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml
   ```
-4. With the editor now open, add the secrets you want to store.
+5. With the editor now open, add the secrets you want to store.
   Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables.  
   Also note that SOPS only encrypts the values, not the keys.  
   When now creating entries, try to adhere to the following variable naming convention:
   - Make sure to put the prive age key in here under `ansible_pull__age_private_key`.
   - Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`)
   - Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`)
-5. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
+6. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.

 ## GPG Keys