Explain need to re-encrypt after adding a host

docs/create-new-web-service-vm.md

@@ -29,6 +29,7 @@ As the first step, we need to make the host known to Ansible.
 1. In `.sops.yaml`, add an entry for the host. Follow the other entries there.
    1. `keys.hosts.chaosknoten.age` needs an age public key (must be generated; the private key gets added later in the host-specific YAML)
    2. `creation_rules` needs an entry for the host, referencing the age key.
+   3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`
 2. In `inventories/chaosknoten/hosts.yaml`:
    1. Configure basic connection info:
         ```yaml
@@ -47,7 +48,7 @@ As the first step, we need to make the host known to Ansible.
           - `docker_compose_hosts`
           - `nginx_hosts`
           - `certbot_hosts`.
- 3. In the directorry `inventories/chaosknoten/host_var/`:
+ 3. In the directory `inventories/chaosknoten/host_var/`:
     1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration.
     2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc.
        * Add an entry `ansible_pull__age_private_key` with the age private key you generated above.