added the shell password creation process
This commit is contained in:
parent
50b6801b20
commit
af9145bd49
1 changed files with 30 additions and 4 deletions
|
@ -4,7 +4,7 @@ description = "Le dépôt des secrets"
|
|||
weight = 10
|
||||
+++
|
||||
|
||||
We use [pass, 'the standard unix password manager'](https://www.passwordstore.org/), to manage our key store securely at Deuxfleurs. Getting access to our production involves publishing one's GPG key (through Gitea) and importing/verifying/signing every other sysadmin's key, before setting up `pass`.
|
||||
We use [pass, 'the standard unix password manager'](https://www.passwordstore.org/), to manage our key store securely at Deuxfleurs. Getting access to our production involves publishing one's GPG key (through Gitea) and importing/verifying/signing every other sysadmin's key, before setting up `pass`. Lastly, you will be able to set your shell password on the desired cluster (`prod` or `staging`, at the time of writing).
|
||||
|
||||
Our process was adapted from [this Medium article](https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592) — thanks, David!
|
||||
|
||||
|
@ -59,9 +59,9 @@ gpg --edit-key E9602264D639FF68 # by key id
|
|||
# gpg> save
|
||||
```
|
||||
|
||||
Once you signed every sysadmin, ask a sysadmin to add your key to the secrets keystore. They will need to [Add a sysadmin](#add-a-sysadmin).
|
||||
Once you signed every sysadmin, ask an administrator to add your key to the secrets keystore. They will need to [Add a sysadmin](#add-a-sysadmin).
|
||||
|
||||
Now you are ready to install `pass`:
|
||||
Once your fellow admin has finished their job, you are ready to install `pass`:
|
||||
|
||||
```bash
|
||||
sudo apt-get install pass # Debian + Ubuntu
|
||||
|
@ -89,7 +89,33 @@ Finally check that everything works:
|
|||
pass show deuxfleurs
|
||||
```
|
||||
|
||||
If you see a listing, you settled!
|
||||
If you see a listing, it worked. Last step is to select a shell password for yourself on the cluster you are now in charge of (`prod` or `staging`, at the time of writing).
|
||||
|
||||
|
||||
Clone the nixcfg repository:
|
||||
|
||||
```
|
||||
git clone git@git.deuxfleurs.fr:Deuxfleurs/nixcfg.git
|
||||
cd nixcfg
|
||||
```
|
||||
|
||||
Use the passwd utility to set your shell password:
|
||||
```
|
||||
./passwd
|
||||
> Usage: ./passwd <cluster name> <username>
|
||||
> The cluster name must be the name of a subdirectory of cluster/
|
||||
```
|
||||
|
||||
This commited changes to Deuxfleurs' password store, do verify your modifications before pushing them:
|
||||
```
|
||||
cd ~/.password-store/deuxfleurs
|
||||
git diff
|
||||
git push
|
||||
```
|
||||
|
||||
You should now be able to `ssh` into our infrastructure with a unified shell password. This is explicated in `nixcfg` repo's [README](https://git.deuxfleurs.fr/Deuxfleurs/nixcfg#how-to-operate-a-node). Be cautious, and enjoy!
|
||||
|
||||
> With great power comes great responsibility.
|
||||
|
||||
---
|
||||
|
||||
|
|
Loading…
Reference in a new issue