From 8e8fe2c5ee4fd49c4781ab21afd2a1e38d0fba20 Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
Date: Thu, 28 Dec 2023 00:21:12 +0100
Subject: [PATCH] README, root_access: Mention how to reencrypt when using TOFU

---
 README.md                      |  6 +++---
 group_vars/all/root_access.yml | 18 ++++++++++--------
 2 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index 976fda851..8b1b94ce1 100644
--- a/README.md
+++ b/README.md
@@ -36,9 +36,9 @@ secrets like Hetzner credentials; access to the `super` vault is controlled by
 the `vault_super_pgpkeys` variable.
 
 All the keys should be on the local user gpg keyring and at **minimum** be
-locally signed with `--lsign-key`. This is necessary for running any of the
-`reencrypt-vault-default-key`, `reencrypt-vault-super-key `or `fetch-borg-keys`
-tasks.
+locally signed with `--lsign-key` (or if you use TOFU, have `--tofu-policy
+good`). This is necessary for running any of the `reencrypt-vault-default-key`,
+`reencrypt-vault-super-key `or `fetch-borg-keys` tasks.
 
 #### Note about packer
 
diff --git a/group_vars/all/root_access.yml b/group_vars/all/root_access.yml
index 426193d5e..faac6e295 100644
--- a/group_vars/all/root_access.yml
+++ b/group_vars/all/root_access.yml
@@ -29,10 +29,11 @@ root_ssh_keys:
       - man.archlinux.org
       - gitlab.archlinux.org
 
-# - run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this
-#   changes; before doing so, make sure to 'gpg --lsign-key' all listed keys
-# - before committing the re-encrypted password file, test if both vaults are
-#   working using `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
+# run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this
+# changes; before doing so, make sure to 'gpg --lsign-key' all keys from both
+# sets (or if you use TOFU, `gpg --tofu-policy good`) before committing the
+# re-encrypted password file, then test that both vaults are working using
+# `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
 # NOTE: adding a key to this list gives access to both default and super vaults
 vault_super_pgpkeys: &vault_super_pgpkeys
   - 86CFFCA918CF3AF47147588051E8B148A9999C34  # foutrelis
@@ -45,10 +46,11 @@ vault_super_pgpkeys: &vault_super_pgpkeys
   - DB650286BD9EAE39890D3FE6FE3DC1668CB24956  # klausenbusk
   - B4B759625D4633430B74877059E43E106B247368  # artafinde
 
-# - run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes
-# - before running it, make sure to 'gpg --lsign-key' all keys listed below
-# - before committing the re-encrypted password file, test that the vault
-#   is working by running `ansible-vault view misc/vaults/vault_hcloud.yml`
+# run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes;
+# before doing so, make sure to 'gpg --lsign-key' all keys below (or if you use
+# TOFU, `gpg --tofu-policy good`) before committing the re-encrypted password
+# file, then test that the vault is working by running `ansible-vault view
+# misc/vaults/vault_hcloud.yml`
 vault_default_pgpkeys:
   - *vault_super_pgpkeys
   - F00B96D15228013FFC9C9D0393B11DAA4C197E3D  # gromit
-- 
GitLab