---
title: Secrets
---

# Secrets

Generally one should try to avoid secrets (e.g. using SSH keys instead of passwords).  
However, since one still needs to work with secrets, we use [SOPS](https://github.com/getsops/sops) to securely store them in our repository. The [`community.sops.sops` vars plugin](https://docs.ansible.com/ansible/latest/collections/community/sops/docsite/guide.html#working-with-encrypted-variables) is then used to access them in Ansible.

All secrets are stored in the inventories in files ending with `.sops.yaml` to provide the secrets contents as variables for hosts and groups.  
Accompanying creation rules are defined in the [`.sops.yaml`](https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/branch/main/.sops.yaml).

When running Ansible locally, then your GPG key is used for accessing the secrets.  
Hosts on the other hand, when running Ansible against themselves using ansible-pull, use a configured [age](https://github.com/FiloSottile/age) key to be able to access the secrets relevant to them.

## GPG Keys

The secrets in this repository are encrypted against the GPG public keys of all Infra-Team members as defined in [infra-secrets](https://git.hamburg.ccc.de/CCCHH/infra-secrets).  
In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in the [infra-secrets repo](https://git.hamburg.ccc.de/CCCHH/infra-secrets) as well.

## Guides

See the following pages for guidance on how to use SOPS:

- [SOPS: New Host](../guides/sops-new-host.md)
- [SOPS: Storing Secrets](../guides/sops-storing-secrets.md)
- [SOPS: GPG-Key Replacement](../guides/sops-gpg-key-replacement.md)