Что нужно знать про использование werf при развёртывании гибридного приложения: личный опыт

Автор статьи — мобильный разработчик, который сам поднял инфраструктуру для стартапа на одной небольшой виртуалке. Вы узнаете, как он выбрал и внедрил werf, какие проблемы решал с помощью SOPS, как организовал хранение и шифрование секретов, и почему GitOps стал для него спасением.

https://habr.com/ru/companies/flant/articles/914060/

#werf #cicd #kubernetes #terraform #секреты #гибридные_приложения #гитерминизм #gitops #sops

'Were SOPs followed?': Karnataka High Court seeks report on details of stadium stampede #SOPs #KarnatakaHighCourt #socialnewsxyz

https://www.socialnews.xyz/2025/06/05/were-sops-followed-karnataka-high-court-seeks-report-on-details-of-stadium-stampede/

Spent the afternoon building an hda to automate the fx dept USD exports, from SOPs, following the #ASWF standards. This is going to help lookdev massively as now all assets follow the same structure 💪

#OpenUSD #Houdini #SOPs

finally found some time to play with #SOPS (https://getsops.io/docs/) and migrated a project to it. seems like a good replacement and optimization for our current secrets sharing workflow. also super useful that it works with both #PGP/ #GPG and #age keys

Nyt kun oon muutaman päivän vääntäny sops-nixin ja syncthingin parissa, niin tänään vois käydä oikeesti harrastamassa liikuntaa maastopyöräilyn muodossa #sops #syncthing #biketooter #Pyöräilydontti

I cannot wait for the next release of #sops with SSH support for age! github.com/getsops/sops...

Add SSH support for age by hao...

It works! Taking mozilla/sops and #puppet #hiera and making them one! I do love hiera_eyaml but #sops is just 10x better.

```
$ puppet lookup --hiera_config=spec/fixtures/hiera.yaml --modulepath=~/git/hiera-sops nested::data
---
thing1:
- one
- two
thing2:
- three
- four
```

Conférence : « #SOPS (de près), passez un savon à vos secrets en clair ! » #tnt25

After a few nights and weekends of mashing keys, I have figured the right order to bring up a #nixos instance built for #proxmox, provision it with #colmena, shove secrets on it with #sops, bring up a docker container, and get it on my @tailscale #tailnet. I don’t know how many times I nearly gave up, but it paid off, and I’m thrilled.

Now to do it again.

Secrets management via #SOPS and HashiCorp #Vault:
1. Store secrets in a Git repository as SOPS-encrypted files.
2. #Terraform gains read access to secrets during provisioning, e.g., via Google KMS.
3. #Terraform uses the vault_kv_secret_v2 module to inject secrets into Vault.
4. Applications consume secrets directly from Vault or through Kubernetes integration.

This approach separates long-term and runtime secrets storage, enhancing #security and flexibility.

🔧 #Sidekick transforms bare metal #VPS into a production-ready hosting platform for streamlined #DevOps

🚀 Key Features:
• Single-command VPS setup integrating #Docker, #Traefik, and #SOPS encryption
• Zero-downtime deployments with high availability and load balancing
• Automatic SSL certificate management with #sslip.io support
• Secure secrets management through encrypted environment files

💻 Technical Highlights:
• Runs on Ubuntu LTS systems
• Requires only SSH key access and public IP
• Supports preview environments tied to git commits
• Direct container deployment from Dockerfiles

💪 Platform Benefits:
• Escape vendor lock-in
• Affordable hosting ($8/month DigitalOcean instance)
• Simple CLI-based management
• Built-in security best practices

Source: https://github.com/MightyMoud/sidekick

My plan for #CD refactoring for #ZeroHR:

https://github.com/numtide/system-manager/tree/main — allows to configure non-NixOS systemd declaratively using Nix programming language.
https://github.com/serokell/deploy-rs — allows to do non-privileged deploys using #nix flakes. Works on non-NixOS linuxes via home-manager.
https://github.com/getsops/sops — for secret management capability, integratable with deploy-rs[1].

[1]: https://samleathers.com/posts/2022-02-11-my-new-network-and-sops.html

#numtide #serokell #systemManager #deployRs #sops

@stuartm Thanks!

Yes one of the goals is to generate discussions. Like maybe if so many people prefer a flat `settings.py` module I would change my template so that people can use it to get a friendly #django experience. So if some things seem odd to you, don't hesitate 😉

And yes, #SOPS is a whole new world to me, full of hope!

📣 New #webdev related blog post here, introducing my take on what a #Django project template could be for an advanced usage. Obviously #astraluv is there, but also #justsystems , #esbuild , and... #SOPS 🔐

It's very early stage so please tell me what do you think about it 🙏

https://david.guillot.me/en/posts/tech/proposal-for-a-django-project-template/

I made my first contribution to a Go project today! 🎉 https://github.com/cromefire/fritzbox-cloudflare-dyndns/pull/31 This is going to make it easier to specify secrets in my home lab setup using sops.
#GoLang #HomeLab #NixOS #sops

Maybe interesting for some: I built a small little tool which makes your secrets on #nixos (i.e. managed by sops-nix) available as #podman secrets. https://github.com/dereulenspiegel/nix-podman-secrets
#nix #sops

The best thing in #SOPS is its awesome integration into #Terraform stack: sops_decrypt_file -> yamldecode, and you have your variables available in the scope right away.

Okay, #sops gives me a datakey to encrypt. I have an ECDSA key and #sops doesn't give me any medium for a shared secret where I can do ECDH.

Do I yolo it and include a session key inside the ciphertext (which is what the age ciphertext does) or is there a more clever way?

#cryptography #security

@sebhoss im alone, but i want the repo to be public and i want to be able to rotate secrets decently easy. Cluster management will be done with #Flux, and hosting will be on bare metal, outside of the big players - i.e. AWS, Azure. Do you think #SOPS is fine in this case?

#FluxCD

I am suffering from decision paralysis, because I have no idea if I should use #SOPS for my secrets or if it will be a better idea to use #ExternalSecrets with #Bitwarden #SecretsManager…
Any #DevOps engineers that are kind enough to help with advice?

#k8s #k3s #kubernetes #BitwardenSM #BitwardenSecretsManager