docs: move information on secrets and sops into docs

2026-05-20 22:54:32 +02:00 · 2026-05-20 22:54:32 +02:00 · 51cd583dff
commit 51cd583dff
parent 74fb99ec8f
4 changed files with 40 additions and 37 deletions
--- a/README.md
+++ b/README.md
@ -17,25 +17,6 @@ ansible-galaxy install -r requirements.yml
 ansible-galaxy role install -r requirements.yml
 ```

-## Secrets
-
-Generally try to avoid secrets (e.g. use SSH keys instead of passwords).
-
-Because secrets are nonetheless needed sometimes, we use [SOPS](https://github.com/getsops/sops) to securely store secrets in this repository.  
-SOPS encrypts secrets according to "creation rules" which are defined in the `.sops.yaml`.
-Generally all secrets get encrypted for all GPG-keys of all members of the infrastructure team.  
-Ansible then has access to the secrets with the help of the [`community.sops.sops` vars plugin](https://docs.ansible.com/ansible/latest/collections/community/sops/docsite/guide.html#working-with-encrypted-variables), which is configured in this repository.
-A local Ansible run then uses the locally available GPG-key to decrypt the secrets.
-
-For a tutorial on how to set up SOPS for a new host, see [SOPS: New Host](./docs/guides/sops-new-host.md).
-
-### Updating SOPS files after swapping out a GPG key
-
-When a GPG key expires, it is necessary to update the config in `.sops.yaml` and then re-encrypt all files with the updated list of keys. Run this command. The will take a considerable amount of time (minutes).
-```
-find inventories -name "*.sops.*" | xargs sops updatekeys --yes
-```
-
 ## Playbook nur für einzelne Hosts ausführen

 Ein paar der Hosts haben den selben Namen, was es etwas schwieriger macht, das Playbook nur für einen der Hosts auszuführen, z. B. `public-reverse-proxy`. Die Kombination aus `--inventory` und `--limit` führt zum Erfolg: