CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 6 Pull requests 9 Wiki Activity Actions

clarify some docs

Browse source
This commit is contained in:
lilly 2026-04-29 21:13:46 +02:00
commit 69fcd2691e
Signed by: lilly
SSH key fingerprint: SHA256:y9T5GFw2A20WVklhetIxG1+kcg/Ce0shnQmbu1LQ37g
2 changed files with 11 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

5
docs/create-new-web-service-vm.md
View file

@ -14,6 +14,7 @@ Let's assume that you want to add a new web service `example.hamburg.ccc.de` whi
1. Create a new VM, for example by cloning the Debian template 9023. 1. Create a new VM, for example by cloning the Debian template 9023.
Give it the name `example`. Give it the name `example`.
2. Edit the ethernet interface to be connected to `vmbr0`, VLAN tag `2`. 2. Edit the ethernet interface to be connected to `vmbr0`, VLAN tag `2`.
Good $genders also enable the proxmox firewall.
3. Configure the IPv6 address in the Cloud-Init section. Leave IPv4 set to DHCP. 3. Configure the IPv6 address in the Cloud-Init section. Leave IPv4 set to DHCP.
4. Make sure the VM is started at boot (options). 4. Make sure the VM is started at boot (options).
5. Adjust any other VM parameters as needed. 5. Adjust any other VM parameters as needed.
@ -54,6 +55,10 @@ As the first step, we need to make the host known to Ansible.
2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc. 2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc.
* Add an entry `ansible_pull__age_private_key` with the age private key you generated above. * Add an entry `ansible_pull__age_private_key` with the age private key you generated above.
## Ansible-Pull Configuration
Since you added your host to the `ansible_pull_hosts`, you also need to follow [Setting Up Secrets Using SOPS for a New Host](/docs/setting_up_secrets_using_sops_for_a_new_host.md) before continuing.
## Service-specific config ## Service-specific config
From here, we go into the details of the web service that you want to configure. For a typical web service with Docker Compose, you will likely want to configure the following. From here, we go into the details of the web service that you want to configure. For a typical web service with Docker Compose, you will likely want to configure the following.

10
docs/setting_up_secrets_using_sops_for_a_new_host.md
View file

@ -6,16 +6,18 @@ Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted se
``` ```
age-keygen age-keygen
``` ```
Then add an entry to `keys.hosts.chaosknoten.age` Then add the public key part under `keys.hosts.chaosknoten.age` in [.sops.yaml](../.sops.yaml).
2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`. 2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
It should probably hold all admin keys plus the host entry. It should probably hold all admin keys plus the host entry you just added.
You can use existing creation rules as a reference. You can use existing creation rules as a reference.
3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes` 3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`.
If GPG yells at you, follow the instructions in our [password-store](https://git.hamburg.ccc.de/CCCHH/password-store).
4. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory. 4. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule. The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule.
This can be accomplished with a command similar to this: This can be accomplished with a command similar to this:
``` ```
sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].sops.yaml
``` ```
5. With the editor now open, add the secrets you want to store. 5. With the editor now open, add the secrets you want to store.
Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables. Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables.