with one click
manage-secrets
Encrypt, decrypt, and rotate service secrets using SOPS and age
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Menu
Encrypt, decrypt, and rotate service secrets using SOPS and age
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
| name | manage-secrets |
| description | Encrypt, decrypt, and rotate service secrets using SOPS and age |
| license | MIT |
| metadata | {"audience":"operators","workflow":"secret-management"} |
I handle all secret management operations for Yggdrasil services using SOPS + age encryption:
Use this when you:
Nothing todo.
api_key: "value")sops -e to encrypt the fileservices/<name>/secrets/ in gitservices/<name>/secrets/make ansible-deploy-service SERVICE=<name>Age key (keep safe, never commit):
~/.../sops/age/keys.txt # Your private encryption key
SOPS configuration (in repo root):
.sops.yaml # Specifies age recipient and rules
Service secrets (encrypted, safe to commit):
services/<name>/secrets/*.yaml # Encrypted secrets for a service
Docker Compose (references secrets):
services/<name>/compose.yaml # Uses env_file: secrets/... or env from container
Add a new secret to a service
Ask me to add an API key secret to the ntfy service
I'll create an encrypted file and show you how to reference it in compose.yaml
Rotate a compromised credential
My API key was exposed, help me rotate it
I'll update the encrypted secret file and redeploy the service
Deploy secrets safely
I've added secrets to a service, how do I deploy?
I'll show you how Ansible decrypts and injects them at deployment time
Emergency secret access
I need to see what the current API key is for debugging
I'll temporarily decrypt the file and show you the value
Backup/migrate secrets
I'm moving infrastructure to a new server
I'll help you export secrets and set up age key on the new machine
✓ Do:
.gitignore to prevent plaintext secrets from being committed.sops.yaml in git (it's safe—contains only recipient fingerprint)✗ Don't:
.sops.yaml — defines encryption rulesservices/*/secrets/ — where to store encrypted filesservices/*/compose.yaml — how to reference secretsSecurity note: Your age private key is the only thing protecting these secrets. Back it up securely and never share it. If compromised, rotate all secrets immediately.
Onboard a new Docker service to Yggdrasil with complete setup and validation
Bootstrap yggdrasil from scratch with Debian 12, Docker, and Ansible
Deploy or redeploy a service to yggdrasil with validation and SOPS decryption