From 66e2e354b18fbed747204c919a1f15c091438204 Mon Sep 17 00:00:00 2001 From: June <june@jsts.xyz> Date: Sun, 4 May 2025 00:11:43 +0200 Subject: [PATCH] document how to set up secrets using SOPS for a new host --- README.md | 2 ++ ...etting_up_secrets_using_sops_for_a_new_host.md | 15 +++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 docs/setting_up_secrets_using_sops_for_a_new_host.md diff --git a/README.md b/README.md index f97683d..2ffd636 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,8 @@ SOPS verschlüsselt hier die Secrets nach den "creation rules", welche in der `s Grundsätzlich werden hier alle Secrets für alle GPG-Keys aller Mitglieder des Infra-Teams verschlüsselt. Das eigentliche Laden der Secrets durch Ansible geschieht mit Hilfe des `community.sops.sops` lookup Plugins, welches entsprechend den lokalen GPG-Key benutzt, um die Secrets zu entschlüsseln. +For a tutorial on how to set up secrets using SOPS for a new host, see [Setting Up Secrets Using SOPS for a New Host](./docs/setting_up_secrets_using_sops_for_a_new_host.md). + ## Playbook nur für einzelne Hosts ausführen Ein paar der Hosts haben den selben Namen, was es etwas schwieriger macht, das Playbook nur für einen der Hosts auszuführen, z. B. `public-reverse-proxy`. Die Kombination aus `--inventory` und `--limit` führt zum Erfolg: diff --git a/docs/setting_up_secrets_using_sops_for_a_new_host.md b/docs/setting_up_secrets_using_sops_for_a_new_host.md new file mode 100644 index 0000000..e612d09 --- /dev/null +++ b/docs/setting_up_secrets_using_sops_for_a_new_host.md @@ -0,0 +1,15 @@ +# Setting Up Secrets Using SOPS for a New Host + +1. Add a new creation rule for the hosts resources directory. + It should probably hold all admin keys. + You can use existing creation rules as a reference. +2. Create a file containing the relevant secrets in the hosts resources directory. + This can be accomplished with a command similar to this: + ``` + sops resources/[chaosknoten|z9]/HOSTNAME/secrets.yaml + ``` +3. In the following an example on how to then use the `community.sops.sops` lookup plugin to use a secret for a host. + In this particular instance the lookup plugin gets used to set the `nextcloud__postgres_password` variable in an inventories `host_vars` file to the secret value of the `DB_PASSWORD` YAML key: + ```yaml + nextcloud__postgres_password: "{{ lookup('community.sops.sops', 'resources/chaosknoten/cloud/secrets.yaml', extract='[\"DB_PASSWORD\"]') }}" + ```