docs: move information on secrets and sops into docs

docs/concepts-and-configurations/secrets.md

@@ -0,0 +1,27 @@
+---
+title: Secrets
+---
+
+# Secrets
+
+Generally one should try to avoid secrets (e.g. using SSH keys instead of passwords).  
+However, since one still needs to work with secrets, we use [SOPS](https://github.com/getsops/sops) to securely store them in our repository. The [`community.sops.sops` vars plugin](https://docs.ansible.com/ansible/latest/collections/community/sops/docsite/guide.html#working-with-encrypted-variables) is then used to access them in Ansible.
+
+All secrets are stored in the inventories in files ending with `.sops.yaml` to provide the secrets contents as variables for hosts and groups.  
+Accompanying creation rules are defined in the [`.sops.yaml`](https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/branch/main/.sops.yaml).
+
+When running Ansible locally, then your GPG key is used for accessing the secrets.  
+Hosts on the other hand, when running Ansible against themselves using ansible-pull, use a configured [age](https://github.com/FiloSottile/age) key to be able to access the secrets relevant to them.
+
+## GPG Keys
+
+The secrets in this repository are encrypted against the GPG public keys of all Infra-Team members as defined in [infra-secrets](https://git.hamburg.ccc.de/CCCHH/infra-secrets).  
+In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in the [infra-secrets repo](https://git.hamburg.ccc.de/CCCHH/infra-secrets) as well.
+
+## Guides
+
+See the following pages for guidance on how to use SOPS:
+
+- [SOPS: New Host](../guides/sops-new-host.md)
+- [SOPS: Storing Secrets](../guides/sops-storing-secrets.md)
+- [SOPS: GPG-Key Replacement](../guides/sops-gpg-key-replacement.md)