CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 2
Code Issues 7 Pull requests 4 Wiki Activity Actions

Compare commits

base: CCCHH:41cd994ab86530c08e4a50d8ba8093eedf22c868
Branches Tags
CCCHH:main
CCCHH:renovate/docker.io-library-redis-8.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:alloy
CCCHH:router-killing-turing
CCCHH:fix_ansible_lint
CCCHH:feature/add-new-router
CCCHH:fux-alerts
CCCHH:move_to_sops
...
compare: CCCHH:edb38482118aee3bc50827b7ed24b0bc19d2556e
Branches Tags
CCCHH:main
CCCHH:renovate/docker.io-library-redis-8.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:alloy
CCCHH:router-killing-turing
CCCHH:fix_ansible_lint
CCCHH:feature/add-new-router
CCCHH:fux-alerts
CCCHH:move_to_sops

2 commits
41cd994ab8 ... edb3848211

Author SHA1 Message Date
Renovate
edb3848211 Update docker.io/library/mariadb Docker tag to v12
Some checks failed
/ Ansible Lint (pull_request) Failing after 47s
Details
/ Ansible Lint (push) Failing after 49s
Details
2026-01-25 11:15:53 +00:00
Stefan Bethke
b492472179 Explain how to add age key for ansible pull
Some checks failed
/ Ansible Lint (push) Failing after 44s
Details
2026-01-25 12:12:30 +01:00
2 changed files with 16 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

20
docs/setting_up_secrets_using_sops_for_a_new_host.md
View file

@ -2,19 +2,29 @@
Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted secrets get stored in the inventory. Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted secrets get stored in the inventory.
1. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`. 1. Create a new age key for Ansible pull on the host.
It should probably hold all admin keys. ```
age-keygen
```
Then add an entry to `keys.hosts.chaosknoten.age`
2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
It should probably hold all admin keys plus the host entry.
You can use existing creation rules as a reference. You can use existing creation rules as a reference.
2. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory. 3. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule. The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule.
This can be accomplished with a command similar to this: This can be accomplished with a command similar to this:
``` ```
sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml
``` ```
3. With the editor now open, add the secrets you want to store. 4. With the editor now open, add the secrets you want to store.
Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables. Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables.
Also note that SOPS only encrypts the values, not the keys. Also note that SOPS only encrypts the values, not the keys.
When now creating entries, try to adhere to the following variable naming convention: When now creating entries, try to adhere to the following variable naming convention:
- Make sure to put the prive age key in here under `ansible_pull__age_private_key`.
- Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`) - Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`)
- Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`) - Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`)
4. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable. 5. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
## GPG Keys
In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in https://git.hamburg.ccc.de/CCCHH/password-store.

2
resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2
View file

@ -3,7 +3,7 @@
services: services:
database: database:
image: docker.io/library/mariadb:11 image: docker.io/library/mariadb:12
environment: environment:
- "MARIADB_DATABASE=wordpress" - "MARIADB_DATABASE=wordpress"
- "MARIADB_ROOT_PASSWORD={{ secret__mariadb_root_password }}" - "MARIADB_ROOT_PASSWORD={{ secret__mariadb_root_password }}"