con un clic
manage-secrets
Encrypt, decrypt, and rotate service secrets using SOPS and age
Instalar con Codex o Claude Copia este prompt, pégalo en Codex, Claude u otro asistente, y deja que revise la página de la skill y la instale por ti.
Menú
Encrypt, decrypt, and rotate service secrets using SOPS and age
Instalar con Codex o Claude Copia este prompt, pégalo en Codex, Claude u otro asistente, y deja que revise la página de la skill y la instale por ti.
Onboard a new Docker service to Yggdrasil with complete setup and validation
Bootstrap yggdrasil from scratch with Debian 12, Docker, and Ansible
Deploy or redeploy a service to yggdrasil with validation and SOPS decryption
Basado en la clasificación ocupacional SOC
| name | manage-secrets |
| description | Encrypt, decrypt, and rotate service secrets using SOPS and age |
| license | MIT |
| metadata | {"audience":"operators","workflow":"secret-management"} |
I handle all secret management operations for Yggdrasil services using SOPS + age encryption:
Use this when you:
Nothing todo.
api_key: "value")sops -e to encrypt the fileservices/<name>/secrets/ in gitservices/<name>/secrets/make ansible-deploy-service SERVICE=<name>Age key (keep safe, never commit):
~/.../sops/age/keys.txt # Your private encryption key
SOPS configuration (in repo root):
.sops.yaml # Specifies age recipient and rules
Service secrets (encrypted, safe to commit):
services/<name>/secrets/*.yaml # Encrypted secrets for a service
Docker Compose (references secrets):
services/<name>/compose.yaml # Uses env_file: secrets/... or env from container
Add a new secret to a service
Ask me to add an API key secret to the ntfy service
I'll create an encrypted file and show you how to reference it in compose.yaml
Rotate a compromised credential
My API key was exposed, help me rotate it
I'll update the encrypted secret file and redeploy the service
Deploy secrets safely
I've added secrets to a service, how do I deploy?
I'll show you how Ansible decrypts and injects them at deployment time
Emergency secret access
I need to see what the current API key is for debugging
I'll temporarily decrypt the file and show you the value
Backup/migrate secrets
I'm moving infrastructure to a new server
I'll help you export secrets and set up age key on the new machine
✓ Do:
.gitignore to prevent plaintext secrets from being committed.sops.yaml in git (it's safe—contains only recipient fingerprint)✗ Don't:
.sops.yaml — defines encryption rulesservices/*/secrets/ — where to store encrypted filesservices/*/compose.yaml — how to reference secretsSecurity note: Your age private key is the only thing protecting these secrets. Back it up securely and never share it. If compromised, rotate all secrets immediately.