CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 2
Code Issues 7 Pull requests 4 Wiki Activity Actions

Explain how to add age key for ansible pull
Some checks failed
/ Ansible Lint (push) Failing after 44s
Details

Browse source
This commit is contained in:
Stefan Bethke 2026-01-25 12:12:30 +01:00
commit b492472179
1 changed files with 15 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

20
docs/setting_up_secrets_using_sops_for_a_new_host.md
View file

@ -2,19 +2,29 @@
Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted secrets get stored in the inventory.
1. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
It should probably hold all admin keys.
1. Create a new age key for Ansible pull on the host.
```
age-keygen
```
Then add an entry to `keys.hosts.chaosknoten.age`
2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
It should probably hold all admin keys plus the host entry.
You can use existing creation rules as a reference.
2. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
3. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule.
This can be accomplished with a command similar to this:
```
sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml
```
3. With the editor now open, add the secrets you want to store.
4. With the editor now open, add the secrets you want to store.
Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables.
Also note that SOPS only encrypts the values, not the keys.
When now creating entries, try to adhere to the following variable naming convention:
- Make sure to put the prive age key in here under `ansible_pull__age_private_key`.
- Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`)
- Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`)
4. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
5. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
## GPG Keys
In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in https://git.hamburg.ccc.de/CCCHH/password-store.