added the shell password creation process

This commit is contained in:
Adrien 2022-11-10 16:59:13 +01:00
parent 50b6801b20
commit af9145bd49

View file

@ -4,7 +4,7 @@ description = "Le dépôt des secrets"
weight = 10 weight = 10
+++ +++
We use [pass, 'the standard unix password manager'](https://www.passwordstore.org/), to manage our key store securely at Deuxfleurs. Getting access to our production involves publishing one's GPG key (through Gitea) and importing/verifying/signing every other sysadmin's key, before setting up `pass`. We use [pass, 'the standard unix password manager'](https://www.passwordstore.org/), to manage our key store securely at Deuxfleurs. Getting access to our production involves publishing one's GPG key (through Gitea) and importing/verifying/signing every other sysadmin's key, before setting up `pass`. Lastly, you will be able to set your shell password on the desired cluster (`prod` or `staging`, at the time of writing).
Our process was adapted from [this Medium article](https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592) — thanks, David! Our process was adapted from [this Medium article](https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592) — thanks, David!
@ -59,9 +59,9 @@ gpg --edit-key E9602264D639FF68 # by key id
# gpg> save # gpg> save
``` ```
Once you signed every sysadmin, ask a sysadmin to add your key to the secrets keystore. They will need to [Add a sysadmin](#add-a-sysadmin). Once you signed every sysadmin, ask an administrator to add your key to the secrets keystore. They will need to [Add a sysadmin](#add-a-sysadmin).
Now you are ready to install `pass`: Once your fellow admin has finished their job, you are ready to install `pass`:
```bash ```bash
sudo apt-get install pass # Debian + Ubuntu sudo apt-get install pass # Debian + Ubuntu
@ -89,7 +89,33 @@ Finally check that everything works:
pass show deuxfleurs pass show deuxfleurs
``` ```
If you see a listing, you settled! If you see a listing, it worked. Last step is to select a shell password for yourself on the cluster you are now in charge of (`prod` or `staging`, at the time of writing).
Clone the nixcfg repository:
```
git clone git@git.deuxfleurs.fr:Deuxfleurs/nixcfg.git
cd nixcfg
```
Use the passwd utility to set your shell password:
```
./passwd
> Usage: ./passwd <cluster name> <username>
> The cluster name must be the name of a subdirectory of cluster/
```
This commited changes to Deuxfleurs' password store, do verify your modifications before pushing them:
```
cd ~/.password-store/deuxfleurs
git diff
git push
```
You should now be able to `ssh` into our infrastructure with a unified shell password. This is explicated in `nixcfg` repo's [README](https://git.deuxfleurs.fr/Deuxfleurs/nixcfg#how-to-operate-a-node). Be cautious, and enjoy!
> With great power comes great responsibility.
--- ---