1.7 KiB
| title |
|---|
| Secrets |
Secrets
Generally one should try to avoid secrets (e.g. using SSH keys instead of passwords).
However, since one still needs to work with secrets, we use SOPS to securely store them in our repository. The community.sops.sops vars plugin is then used to access them in Ansible.
All secrets are stored in the inventories in files ending with .sops.yaml to provide the secrets contents as variables for hosts and groups.
Accompanying creation rules are defined in the .sops.yaml.
When running Ansible locally, then your GPG key is used for accessing the secrets.
Hosts on the other hand, when running Ansible against themselves using ansible-pull, use a configured age key to be able to access the secrets relevant to them.
GPG Keys
The secrets in this repository are encrypted against the GPG public keys of all Infra-Team members as defined in infra-secrets.
In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in the infra-secrets repo as well.
Guides
See the following pages for guidance on how to use SOPS: