Explain how to add age key for ansible pull
Some checks failed
/ Ansible Lint (push) Failing after 44s
Some checks failed
/ Ansible Lint (push) Failing after 44s
This commit is contained in:
parent
ddaa069204
commit
b492472179
1 changed files with 15 additions and 5 deletions
|
|
@ -2,19 +2,29 @@
|
||||||
|
|
||||||
Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted secrets get stored in the inventory.
|
Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted secrets get stored in the inventory.
|
||||||
|
|
||||||
1. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
|
1. Create a new age key for Ansible pull on the host.
|
||||||
It should probably hold all admin keys.
|
```
|
||||||
|
age-keygen
|
||||||
|
```
|
||||||
|
Then add an entry to `keys.hosts.chaosknoten.age`
|
||||||
|
2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
|
||||||
|
It should probably hold all admin keys plus the host entry.
|
||||||
You can use existing creation rules as a reference.
|
You can use existing creation rules as a reference.
|
||||||
2. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
|
3. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
|
||||||
The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule.
|
The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule.
|
||||||
This can be accomplished with a command similar to this:
|
This can be accomplished with a command similar to this:
|
||||||
```
|
```
|
||||||
sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml
|
sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml
|
||||||
```
|
```
|
||||||
3. With the editor now open, add the secrets you want to store.
|
4. With the editor now open, add the secrets you want to store.
|
||||||
Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables.
|
Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables.
|
||||||
Also note that SOPS only encrypts the values, not the keys.
|
Also note that SOPS only encrypts the values, not the keys.
|
||||||
When now creating entries, try to adhere to the following variable naming convention:
|
When now creating entries, try to adhere to the following variable naming convention:
|
||||||
|
- Make sure to put the prive age key in here under `ansible_pull__age_private_key`.
|
||||||
- Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`)
|
- Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`)
|
||||||
- Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`)
|
- Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`)
|
||||||
4. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
|
5. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
|
||||||
|
|
||||||
|
## GPG Keys
|
||||||
|
|
||||||
|
In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in https://git.hamburg.ccc.de/CCCHH/password-store.
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue