CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 7 Pull requests 9 Wiki Activity Actions

docs: move information on secrets and sops into docs
Some checks failed
/ Ansible Lint (push) Successful in 2m20s
Details
/ build (push) Failing after 2m40s
Details

Browse source
This commit is contained in:
June 2026-05-20 22:54:32 +02:00
commit 51cd583dff
Signed by: june
SSH key fingerprint: SHA256:o9EAq4Y9N9K0pBQeBTqhSDrND5E7oB+60ZNx0U1yPe0
4 changed files with 40 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

27
docs/concepts-and-configurations/secrets.md Normal file
View file

@ -0,0 +1,27 @@
---
title: Secrets
---
# Secrets
Generally one should try to avoid secrets (e.g. using SSH keys instead of passwords).
However, since one still needs to work with secrets, we use [SOPS](https://github.com/getsops/sops) to securely store them in our repository. The [`community.sops.sops` vars plugin](https://docs.ansible.com/ansible/latest/collections/community/sops/docsite/guide.html#working-with-encrypted-variables) is then used to access them in Ansible.
All secrets are stored in the inventories in files ending with `.sops.yaml` to provide the secrets contents as variables for hosts and groups.
Accompanying creation rules are defined in the [`.sops.yaml`](https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/branch/main/.sops.yaml).
When running Ansible locally, then your GPG key is used for accessing the secrets.
Hosts on the other hand, when running Ansible against themselves using ansible-pull, use a configured [age](https://github.com/FiloSottile/age) key to be able to access the secrets relevant to them.
## GPG Keys
The secrets in this repository are encrypted against the GPG public keys of all Infra-Team members as defined in [infra-secrets](https://git.hamburg.ccc.de/CCCHH/infra-secrets).
In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in the [infra-secrets repo](https://git.hamburg.ccc.de/CCCHH/infra-secrets) as well.
## Guides
See the following pages for guidance on how to use SOPS:
- [SOPS: New Host](../guides/sops-new-host.md)
- [SOPS: Storing Secrets](../guides/sops-storing-secrets.md)
- [SOPS: GPG-Key Replacement](../guides/sops-gpg-key-replacement.md)

18
docs/concepts-and-configurations/sops.md
View file

@ -1,18 +0,0 @@
---
title: SOPS
---
# SOPS
We're using [SOPS](https://github.com/getsops/sops) for secret management together with the `community.sops.sops` vars plugin for Ansible.
## GPG Keys
In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in [infra-secrets](https://git.hamburg.ccc.de/CCCHH/infra-secrets).
## Guides
See the following pages for guidance on how to use SOPS:
- [SOPS: New Host](../guides/sops-new-host.md)
- [SOPS: Storing Secrets](../guides/sops-storing-secrets.md)