commit ef71a895bb2bf4b2aef0d8c242610d18ff3fedd9
parent b4d5a87af9ef0c9bc2de1d04aba5b557514bb3bd
Author: Florian Dold <florian@dold.me>
Date: Mon, 24 Feb 2025 16:25:42 +0100
consistent name for secrets file to avoid accidents
Diffstat:
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/.gitignore b/.gitignore
@@ -3,6 +3,9 @@
*~
exports
-tops-secrets.yml
-# Preferred name for secrets in inventories/host_vars
+# Preferred name for secrets in inventories/host_vars/$HOST/
prod-secrets.yml
+
+# This used to be the name of the secrets file,
+# keep ignoring it to prevent accidental commits of it.
+tops-secrets.yml
diff --git a/README b/README
@@ -25,15 +25,15 @@ $ ./deploy.sh rusty
For TOPS production, replace the "rusty" with "spec" to use the actual secrets
for the deployment. For this, you first need to decrypt them:
-$ gpg -d inventories/host_vars/spec/tops-secrets.yml.gpg > inventories/host_vars/spec/tops-secrets.yml
+$ gpg -d inventories/host_vars/spec/prod-secrets.yml.gpg > inventories/host_vars/spec/prod-secrets.yml
Make sure to NEVER commit the decrypted production secrets to Git.
Instead, if you had to edit them, re-encrypt them to all admins:
-$ cat inventories/host_vars/spec/tops-secrets.yml | gpg --encrypt \
+$ cat inventories/host_vars/spec/prod-secrets.yml | gpg --encrypt \
--recipient grothoff@gnunet.org \
--recipient devan@taler.net \
- --recipient me@fdold.eu > inventories/host_vars/spec/tops-secrets.yml.gpg
+ --recipient me@fdold.eu > inventories/host_vars/spec/prod-secrets.yml.gpg
## Checking sanction lists
diff --git a/inventories/host_vars/spec/tops-secrets.yml.gpg b/inventories/host_vars/spec/prod-secrets.yml.gpg
Binary files differ.
