27 lines
1.7 KiB
Markdown
27 lines
1.7 KiB
Markdown
---
|
|
title: Secrets
|
|
---
|
|
|
|
# Secrets
|
|
|
|
Generally one should try to avoid secrets (e.g. using SSH keys instead of passwords).
|
|
However, since one still needs to work with secrets, we use [SOPS](https://github.com/getsops/sops) to securely store them in our repository. The [`community.sops.sops` vars plugin](https://docs.ansible.com/ansible/latest/collections/community/sops/docsite/guide.html#working-with-encrypted-variables) is then used to access them in Ansible.
|
|
|
|
All secrets are stored in the inventories in files ending with `.sops.yaml` to provide the secrets contents as variables for hosts and groups.
|
|
Accompanying creation rules are defined in the [`.sops.yaml`](https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/branch/main/.sops.yaml).
|
|
|
|
When running Ansible locally, then your GPG key is used for accessing the secrets.
|
|
Hosts on the other hand, when running Ansible against themselves using ansible-pull, use a configured [age](https://github.com/FiloSottile/age) key to be able to access the secrets relevant to them.
|
|
|
|
## GPG Keys
|
|
|
|
The secrets in this repository are encrypted against the GPG public keys of all Infra-Team members as defined in [infra-secrets](https://git.hamburg.ccc.de/CCCHH/infra-secrets).
|
|
In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in the [infra-secrets repo](https://git.hamburg.ccc.de/CCCHH/infra-secrets) as well.
|
|
|
|
## Guides
|
|
|
|
See the following pages for guidance on how to use SOPS:
|
|
|
|
- [SOPS: New Host](../guides/sops-new-host.md)
|
|
- [SOPS: Storing Secrets](../guides/sops-storing-secrets.md)
|
|
- [SOPS: GPG-Key Replacement](../guides/sops-gpg-key-replacement.md)
|