Ansible With SOPS - Secret Handling On Ghost Level
  
 
 SOPS: Secrets OPerationS - A silent tool for Ghost Operators. Silent Architects. 
Ansible Vault safeguards your data. 
- The team grows. 
- The data is more complex. 
- Encrypted files are too much noise. 
SOPS restores the signal. 
Get Your New Blade
Download the SOPS Linux binary from  Github. 
Verify the binary with  SHA256 checksum. 
Move it to the  $PATH. 
Create or import your GPG keys. 
Sharpen The Blade
Configure SOPS to use the SOPS GPG fingerprint. 
Get the fingerprint: 
gpg --list-keys
Copy and use it: 
export SOPS_PGP_FP= "27846AFA62AC8475754E28ACFC0537D05D1D146B"
Test it. 
sops edit test.sops.yaml
The Silent Ansible Upgrade
Install the Ansible SOPS collection if missing: 
ansible-galaxy collection install community.sops
In the  ansible.cfg enable the SOPS vars plugin: 
[defaults] vars_plugins_enabled = host_group_vars,community.sops.sops
The  host_vars or  group_vars files' extension must be: 
- .sops.yaml 
- .sops.yml 
Configure the SOPS creation rules in the  .sops.yaml file: 
--- creation_rules: - path_regex: inventories/.*\.sops\.yml key_groups: - pgp: - 27846AFA62AC8475754E28ACFC0537D05D1D146B
The Ghosts In Action
Create a SOPS encrypted file in  host_vars or  group_vars. 
sops edit inventories/host_vars/hostname.yml
Remove the  example content and add your data. 
--- my_data: - Hello - this is from - SOPS
Ansible can decrypt and use it. 
--- - name: SOPS test hosts: hostname tasks: - name: Echo the test variable ansible.builtin.debug: var: my_data
The system bends to you, Ghost Operator. 
Sharpening For The Team
Operators rotate. Keys must too. 
Add a new teammate
Import their public GPG key: 
gpg --import teammate_pubkey.asc
Update the  key_groups in  .sops.yaml with their fingerprint: 
creation_rules: - path_regex: inventories/.*\.sops\.yml key_groups: - pgp: - Your Fingerprint - Teammate Fingerprint
Re-encrypt the files so SOPS includes both keys: 
sops updatekeys inventories/host_vars/ghost-infra.sops.yml
Remove a teammate
Delete their fingerprint from  .sops.yaml. 
Re-encrypt again: 
sops updatekeys inventories/host_vars/ghost-infra.sops.yml
Only the fingerprints listed will keep future access. 
Final Whisper
Silence keeps the secrets. SOPS keeps them safe.