Update Opérations “pass”

This commit is contained in:
marion 2024-03-16 17:21:49 +00:00
parent 321c4586b5
commit 365f1fdeb6

View file

@ -1,11 +1,12 @@
--- ---
title: "Le dépôt des secrets" title: Le dépôt des secrets
description: "Le dépôt des secrets" description: Le dépôt des secrets
weight: 10 weight: 10
draft: false
date: 2024-03-16
extra: extra:
parent: 'operations/acces.md' parent: operations/acces.md
--- ---
We use [pass, 'the standard unix password manager'](https://www.passwordstore.org/), to manage our key store securely at Deuxfleurs. Getting access to our production involves publishing one's GPG key (through Gitea) and importing/verifying/signing every other sysadmin's key, before setting up `pass`. Lastly, you will be able to set your shell password on the desired cluster (`prod` or `staging`, at the time of writing). We use [pass, 'the standard unix password manager'](https://www.passwordstore.org/), to manage our key store securely at Deuxfleurs. Getting access to our production involves publishing one's GPG key (through Gitea) and importing/verifying/signing every other sysadmin's key, before setting up `pass`. Lastly, you will be able to set your shell password on the desired cluster (`prod` or `staging`, at the time of writing).
Our process was adapted from [this Medium article](https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592) — thanks, David! Our process was adapted from [this Medium article](https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592) — thanks, David!
@ -18,13 +19,13 @@ If you do not already have one, you can generate a new one with:
```bash ```bash
gpg2 --expert --full-gen-key gpg2 --expert --full-gen-key
# Personnaly I use `9) ECC and ECC`, `1) Curve 25519`, and `5y` # Personnaly I use `9) ECC and ECC`, `1) Curve 25519`, and `5y`
# Pour le nom, il vous identifie vous, vous pouvez l'utiliser pour signer des mails par exemple.
``` ```
(Il se peut que vous n'ayez que la commande `gpg` sur votre PC parce qu'il est moderne. Faites `gpg --version` pour vérifier.) (Il se peut que vous n'ayez que la commande `gpg` sur votre PC parce qu'il est moderne. Faites `gpg --version` pour vérifier.)
In any case, you need to export your public key. Upload the output (public key) of the following command to [your Gitea account](https://git.deuxfleurs.fr/user/settings/keys). In any case, you need to export your public key. Upload the output (public key) of the following command to [your Gitea account](https://git.deuxfleurs.fr/user/settings/keys).
```bash ```bash
gpg2 --export --armor <your email address> gpg2 --export --armor <your email address>
``` ```
@ -33,7 +34,6 @@ It is now publicly accessible at `https://git.deuxfleurs.fr/<your_gitea_username
### Inform the other sysadmins that you have published your key ### Inform the other sysadmins that you have published your key
Download the `secrets` repository: Download the `secrets` repository:
``` ```
@ -42,24 +42,21 @@ cd ~/.password-store
git clone git@git.deuxfleurs.fr:Deuxfleurs/secrets.git deuxfleurs git clone git@git.deuxfleurs.fr:Deuxfleurs/secrets.git deuxfleurs
``` ```
Get the `<hexa_of_your_gpg_key>`, which you can get with `gpg --list-keys --keyid-format 0xLONG` .
Get the `<hexa_of_your_gpg_key>`, which you can get with `gpg --list-keys --keyid-format 0xLONG `.
It's in the format `0x0123456789ABCDEF`. It's in the format `0x0123456789ABCDEF`.
Beware to take the key of your main key (line begins with `pub`, not with `sub`). Beware to take the key of your main key (line begins with `pub`, not with `sub`).
* Add your key address to the `Import keys` section of the repo's `README.md`: - Add your key address to the `Import keys` section of the repo's `README.md`:
``` ```
curl https://git.deuxfleurs.fr/<your_gitea_username>.gpg | gpg2 --import # <hexa_of_your_gpg_key> curl https://git.deuxfleurs.fr/<your_gitea_username>.gpg | gpg2 --import # <hexa_of_your_gpg_key>
``` ```
* Also add your `<hexa_of_your_gpg_key>` to the `.gpg-id` file. - Also add your `<hexa_of_your_gpg_key>` to the `.gpg-id` file.
- In [your Gitea settings](https://git.deuxfleurs.fr/user/settings), ensure your User visibility is `Public`.
* In [your Gitea settings](https://git.deuxfleurs.fr/user/settings), ensure your User visibility is `Public`.
Now `git commit/pull/push`, and tell yo' friends that you're all set. Now `git commit/pull/push`, and tell yo' friends that you're all set.
### Import/verify/sign every other sysadmin's key into your keychain ### Import/verify/sign every other sysadmin's key into your keychain
You now need to import and sign every other sysadmin's GPG key. For example, import Quentin's key to your keychain as follow: You now need to import and sign every other sysadmin's GPG key. For example, import Quentin's key to your keychain as follow:
@ -73,9 +70,8 @@ gpg2 --list-keys
# sub cv25519/0xA40574404FF72851 2022-04-19 [E] [expire : 2027-04-18] # sub cv25519/0xA40574404FF72851 2022-04-19 [E] [expire : 2027-04-18]
``` ```
> How to read this snippet: > How to read this snippet:- the key id: `E9602264D639FF68`
> - the key id: `E9602264D639FF68` > - the key fingerprint: `8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68`
> - the key fingerprint: `8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68`
To perform the check, you need another communication channel (ideally physically, otherwise through the phone, Matrix if you already trusted the other person, or else). Compare the signature you read with the sysadmin's. If they match, you good. To perform the check, you need another communication channel (ideally physically, otherwise through the phone, Matrix if you already trusted the other person, or else). Compare the signature you read with the sysadmin's. If they match, you good.
@ -104,7 +100,7 @@ brew install pass # macOS
pkg install password-store # FreeBSD pkg install password-store # FreeBSD
``` ```
*Go to [passwordstore.org](https://www.passwordstore.org/) for more information about pass*. _Go to for more information about pass_.
Finally check that everything works: Finally check that everything works:
@ -114,7 +110,6 @@ pass show deuxfleurs
If you see a listing, it worked. Last step is to select a shell password for yourself on the cluster you are now in charge of (`prod` or `staging`, at the time of writing). If you see a listing, it worked. Last step is to select a shell password for yourself on the cluster you are now in charge of (`prod` or `staging`, at the time of writing).
Clone the nixcfg repository: Clone the nixcfg repository:
``` ```
@ -123,6 +118,7 @@ cd nixcfg
``` ```
Use the passwd utility to set your shell password: Use the passwd utility to set your shell password:
``` ```
./passwd ./passwd
> Usage: ./passwd <cluster name> <username> > Usage: ./passwd <cluster name> <username>
@ -130,6 +126,7 @@ Use the passwd utility to set your shell password:
``` ```
This commited changes to Deuxfleurs' password store, do verify your modifications before pushing them: This commited changes to Deuxfleurs' password store, do verify your modifications before pushing them:
``` ```
cd ~/.password-store/deuxfleurs cd ~/.password-store/deuxfleurs
git diff git diff
@ -166,7 +163,6 @@ pass insert deuxfleurs/backup_nextcloud
## Add a sysadmin ## Add a sysadmin
Make sure that you trust the keys of your new sysadmin: Make sure that you trust the keys of your new sysadmin:
``` ```
@ -211,3 +207,7 @@ mkdir -p ~/.password-store
cd ~/.password-store cd ~/.password-store
git clone https://git.example.com/org/repo.git deuxfleurs git clone https://git.example.com/org/repo.git deuxfleurs
``` ```