• github/getsops/SOPS: Secrets OPerationS
• https://github.com/getsops/sops/releases

• Mozilla Sops для управления секретами в гите

• How to use sops exec-file with docker-compose?

# wget https://github.com/getsops/sops/releases/download/v3.11.0/sops-v3.11.0.linux.amd64

# mv sops-v3.11.0.linux.amd64 /usr/local/bin/sops

# chmod +x /usr/local/bin/sops

# VAULT_ADDR=http://server.corpX.un:8200

#  export VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKU

~/openvpn1# sops encrypt --hc-vault-transit $VAULT_ADDR/v1/transit/keys/ansible-openvpn1 openvpn1/files/server.key #-i

~/openvpn1# cat openvpn1/files/server.key

~/openvpn1# sops decrypt --hc-vault-transit $VAULT_ADDR/v1/transit/keys/ansible-openvpn1 openvpn1/files/server.key #-i

~/openvpn1# cat .sops.yaml

creation_rules:
  - path_regex: inventory.yaml
    encrypted_regex: ^ansible.*pass
    hc_vault_transit_uri: "http://server.corp13.un:8200/v1/transit/keys/ansible-openvpn1"
  - path_regex: openvpn1/files/server.key
    hc_vault_transit_uri: "http://server.corp13.un:8200/v1/transit/keys/ansible-openvpn1"

~/openvpn1# sops encrypt inventory.yaml -i

~/openvpn1# cat inventory.yaml

~/openvpn1# sops edit inventory.yaml

~/openvpn1# sops exec-file inventory.yaml 'echo {}; cat {}'

~/openvpn1# sops encrypt openvpn1/files/server.key -i

~/openvpn1# cat openvpn1/tasks/main.yml
...
- name: Copy file server.key
  copy:
    #src: server.key
    content: "{{ lookup('community.sops.sops', 'server.key') }}"
...

~/openvpn1# sops exec-file --no-fifo inventory.yaml 'ansible-playbook openvpn1.yaml -i {}'