From c285694aaadd49374745c9749d54b2ece5c7afaa Mon Sep 17 00:00:00 2001
From: Stefan Bethke <stb@lassitu.de>
Date: Sun, 25 Jan 2026 15:47:41 +0100
Subject: [PATCH] Add age private key

---
 docs/create-new-web-service-vm.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/create-new-web-service-vm.md b/docs/create-new-web-service-vm.md
index 76eca21..1f5874d 100644
--- a/docs/create-new-web-service-vm.md
+++ b/docs/create-new-web-service-vm.md
@@ -37,7 +37,8 @@ As the first step, we need to make the host known to Ansible.
     2. Add the host to the desired roles. As a minimum, you'll want `base_config_hosts` and `infrastructure_authorized_keys_hosts`. For a typical web service based on Docker Compose, you'll want `docker_compose_hosts`, `nginx_hosts`, and `certbot_hosts`.
  3. In the directorry `inventories/chaosknoten/host_var/`:
     1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration.
-    2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries there should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc.
+    2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc.
+       * Add an entry `ansible_pull__age_private_key` with the age private key you generated above.
 
 ## Service-specific config