diff --git a/docs/create-new-web-service-vm.md b/docs/create-new-web-service-vm.md index b44a6e5..bf7d65b 100644 --- a/docs/create-new-web-service-vm.md +++ b/docs/create-new-web-service-vm.md @@ -14,6 +14,7 @@ Let's assume that you want to add a new web service `example.hamburg.ccc.de` whi 1. Create a new VM, for example by cloning the Debian template 9023. Give it the name `example`. 2. Edit the ethernet interface to be connected to `vmbr0`, VLAN tag `2`. + Good $genders also enable the proxmox firewall. 3. Configure the IPv6 address in the Cloud-Init section. Leave IPv4 set to DHCP. 4. Make sure the VM is started at boot (options). 5. Adjust any other VM parameters as needed. @@ -54,6 +55,10 @@ As the first step, we need to make the host known to Ansible. 2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc. * Add an entry `ansible_pull__age_private_key` with the age private key you generated above. +## Ansible-Pull Configuration + +Since you added your host to the `ansible_pull_hosts`, you also need to follow [Setting Up Secrets Using SOPS for a New Host](/docs/setting_up_secrets_using_sops_for_a_new_host.md) before continuing. + ## Service-specific config From here, we go into the details of the web service that you want to configure. For a typical web service with Docker Compose, you will likely want to configure the following. diff --git a/docs/setting_up_secrets_using_sops_for_a_new_host.md b/docs/setting_up_secrets_using_sops_for_a_new_host.md index aaed515..a0e8935 100644 --- a/docs/setting_up_secrets_using_sops_for_a_new_host.md +++ b/docs/setting_up_secrets_using_sops_for_a_new_host.md @@ -6,16 +6,18 @@ Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted se ``` age-keygen ``` - Then add an entry to `keys.hosts.chaosknoten.age` + Then add the public key part under `keys.hosts.chaosknoten.age` in [.sops.yaml](../.sops.yaml). 2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`. - It should probably hold all admin keys plus the host entry. + It should probably hold all admin keys plus the host entry you just added. You can use existing creation rules as a reference. -3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes` +3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`. + + If GPG yells at you, follow the instructions in our [password-store](https://git.hamburg.ccc.de/CCCHH/password-store). 4. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory. The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule. This can be accomplished with a command similar to this: ``` - sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml + sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].sops.yaml ``` 5. With the editor now open, add the secrets you want to store. Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables.