29 lines
1.4 KiB
Markdown
29 lines
1.4 KiB
Markdown
---
|
|
title: "SOPS: Storing Secrets"
|
|
summary: How to Store Secrets Using SOPS
|
|
---
|
|
|
|
# SOPS: Storing Secrets
|
|
|
|
Some guidance on how to store secrets using [SOPS](../concepts-and-configurations/sops.md). For a guide on how to setup SOPS for a new host, see [SOPS: New Host](./sops-new-host.md).
|
|
|
|
1. For storing host-specific secrets, open the host-specific SOPS file:
|
|
```
|
|
sops inventories/<chaosknoten/z9/...>/host_vars/<hostname>.sops.yaml
|
|
```
|
|
For inventory-wide secrets, open the inventories `all` group SOPS file:
|
|
```
|
|
sops inventories/<chaosknoten/z9/...>/group_vars/all.sops.yaml
|
|
```
|
|
2. Now the secrets can be added to the opened file. Because we're using the `community.sops.sops` vars plugin, the stored secrets will then be exposed as Ansible variables.
|
|
Note that SOPS only encrypts the values, not the keys.
|
|
When creating entries, try to adhere to the following variable naming conventions:
|
|
- Prefix variable names with `secret__`, if they are intended to be used in a template file or similar, e.g.:
|
|
```yaml
|
|
secret__netbox_secret_key: secret_value
|
|
```
|
|
- Otherwise, if the variable is directly consumed by a role or similar, directly set the variable, e.g.:
|
|
```yaml
|
|
netbox__db_password: secret_value
|
|
```
|
|
3. After closing the editor, the secrets are stored. In Ansible they are exposed as variables and can simply be used like any other variable.
|