added the shell password creation process
This commit is contained in:
parent
50b6801b20
commit
af9145bd49
1 changed files with 30 additions and 4 deletions
|
@ -4,7 +4,7 @@ description = "Le dépôt des secrets"
|
||||||
weight = 10
|
weight = 10
|
||||||
+++
|
+++
|
||||||
|
|
||||||
We use [pass, 'the standard unix password manager'](https://www.passwordstore.org/), to manage our key store securely at Deuxfleurs. Getting access to our production involves publishing one's GPG key (through Gitea) and importing/verifying/signing every other sysadmin's key, before setting up `pass`.
|
We use [pass, 'the standard unix password manager'](https://www.passwordstore.org/), to manage our key store securely at Deuxfleurs. Getting access to our production involves publishing one's GPG key (through Gitea) and importing/verifying/signing every other sysadmin's key, before setting up `pass`. Lastly, you will be able to set your shell password on the desired cluster (`prod` or `staging`, at the time of writing).
|
||||||
|
|
||||||
Our process was adapted from [this Medium article](https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592) — thanks, David!
|
Our process was adapted from [this Medium article](https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592) — thanks, David!
|
||||||
|
|
||||||
|
@ -59,9 +59,9 @@ gpg --edit-key E9602264D639FF68 # by key id
|
||||||
# gpg> save
|
# gpg> save
|
||||||
```
|
```
|
||||||
|
|
||||||
Once you signed every sysadmin, ask a sysadmin to add your key to the secrets keystore. They will need to [Add a sysadmin](#add-a-sysadmin).
|
Once you signed every sysadmin, ask an administrator to add your key to the secrets keystore. They will need to [Add a sysadmin](#add-a-sysadmin).
|
||||||
|
|
||||||
Now you are ready to install `pass`:
|
Once your fellow admin has finished their job, you are ready to install `pass`:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
sudo apt-get install pass # Debian + Ubuntu
|
sudo apt-get install pass # Debian + Ubuntu
|
||||||
|
@ -89,7 +89,33 @@ Finally check that everything works:
|
||||||
pass show deuxfleurs
|
pass show deuxfleurs
|
||||||
```
|
```
|
||||||
|
|
||||||
If you see a listing, you settled!
|
If you see a listing, it worked. Last step is to select a shell password for yourself on the cluster you are now in charge of (`prod` or `staging`, at the time of writing).
|
||||||
|
|
||||||
|
|
||||||
|
Clone the nixcfg repository:
|
||||||
|
|
||||||
|
```
|
||||||
|
git clone git@git.deuxfleurs.fr:Deuxfleurs/nixcfg.git
|
||||||
|
cd nixcfg
|
||||||
|
```
|
||||||
|
|
||||||
|
Use the passwd utility to set your shell password:
|
||||||
|
```
|
||||||
|
./passwd
|
||||||
|
> Usage: ./passwd <cluster name> <username>
|
||||||
|
> The cluster name must be the name of a subdirectory of cluster/
|
||||||
|
```
|
||||||
|
|
||||||
|
This commited changes to Deuxfleurs' password store, do verify your modifications before pushing them:
|
||||||
|
```
|
||||||
|
cd ~/.password-store/deuxfleurs
|
||||||
|
git diff
|
||||||
|
git push
|
||||||
|
```
|
||||||
|
|
||||||
|
You should now be able to `ssh` into our infrastructure with a unified shell password. This is explicated in `nixcfg` repo's [README](https://git.deuxfleurs.fr/Deuxfleurs/nixcfg#how-to-operate-a-node). Be cautious, and enjoy!
|
||||||
|
|
||||||
|
> With great power comes great responsibility.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue