ViMaSter/ansible-infra
0
0
Fork 0
forked from CCCHH/ansible-infra
Code Pull requests Activity

Explain need to re-encrypt after adding a host

Browse source
This commit is contained in:
Stefan Bethke 2026-01-27 09:47:01 +01:00
commit 4f0c4bb276
2 changed files with 6 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
docs/create-new-web-service-vm.md
View file

@ -29,6 +29,7 @@ As the first step, we need to make the host known to Ansible.
1. In `.sops.yaml`, add an entry for the host. Follow the other entries there. 1. In `.sops.yaml`, add an entry for the host. Follow the other entries there.
1. `keys.hosts.chaosknoten.age` needs an age public key (must be generated; the private key gets added later in the host-specific YAML) 1. `keys.hosts.chaosknoten.age` needs an age public key (must be generated; the private key gets added later in the host-specific YAML)
2. `creation_rules` needs an entry for the host, referencing the age key. 2. `creation_rules` needs an entry for the host, referencing the age key.
3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`
2. In `inventories/chaosknoten/hosts.yaml`: 2. In `inventories/chaosknoten/hosts.yaml`:
1. Configure basic connection info: 1. Configure basic connection info:
```yaml ```yaml
@ -47,7 +48,7 @@ As the first step, we need to make the host known to Ansible.
- `docker_compose_hosts` - `docker_compose_hosts`
- `nginx_hosts` - `nginx_hosts`
- `certbot_hosts`. - `certbot_hosts`.
3. In the directorry `inventories/chaosknoten/host_var/`: 3. In the directory `inventories/chaosknoten/host_var/`:
1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration. 1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration.
2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc. 2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc.
* Add an entry `ansible_pull__age_private_key` with the age private key you generated above. * Add an entry `ansible_pull__age_private_key` with the age private key you generated above.

7
docs/setting_up_secrets_using_sops_for_a_new_host.md
View file

@ -10,20 +10,21 @@ Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted se
2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`. 2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
It should probably hold all admin keys plus the host entry. It should probably hold all admin keys plus the host entry.
You can use existing creation rules as a reference. You can use existing creation rules as a reference.
3. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory. 3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`
4. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule. The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule.
This can be accomplished with a command similar to this: This can be accomplished with a command similar to this:
``` ```
sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml
``` ```
4. With the editor now open, add the secrets you want to store. 5. With the editor now open, add the secrets you want to store.
Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables. Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables.
Also note that SOPS only encrypts the values, not the keys. Also note that SOPS only encrypts the values, not the keys.
When now creating entries, try to adhere to the following variable naming convention: When now creating entries, try to adhere to the following variable naming convention:
- Make sure to put the prive age key in here under `ansible_pull__age_private_key`. - Make sure to put the prive age key in here under `ansible_pull__age_private_key`.
- Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`) - Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`)
- Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`) - Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`)
5. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable. 6. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
## GPG Keys ## GPG Keys