aboutsummaryrefslogtreecommitdiff
path: root/content/operations/acces/pass.md
diff options
context:
space:
mode:
Diffstat (limited to 'content/operations/acces/pass.md')
-rw-r--r--content/operations/acces/pass.md34
1 files changed, 30 insertions, 4 deletions
diff --git a/content/operations/acces/pass.md b/content/operations/acces/pass.md
index 8193969..357db2e 100644
--- a/content/operations/acces/pass.md
+++ b/content/operations/acces/pass.md
@@ -4,7 +4,7 @@ description = "Le dépôt des secrets"
weight = 10
+++
-We use [pass, 'the standard unix password manager'](https://www.passwordstore.org/), to manage our key store securely at Deuxfleurs. Getting access to our production involves publishing one's GPG key (through Gitea) and importing/verifying/signing every other sysadmin's key, before setting up `pass`.
+We use [pass, 'the standard unix password manager'](https://www.passwordstore.org/), to manage our key store securely at Deuxfleurs. Getting access to our production involves publishing one's GPG key (through Gitea) and importing/verifying/signing every other sysadmin's key, before setting up `pass`. Lastly, you will be able to set your shell password on the desired cluster (`prod` or `staging`, at the time of writing).
Our process was adapted from [this Medium article](https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592) — thanks, David!
@@ -59,9 +59,9 @@ gpg --edit-key E9602264D639FF68 # by key id
# gpg> save
```
-Once you signed every sysadmin, ask a sysadmin to add your key to the secrets keystore. They will need to [Add a sysadmin](#add-a-sysadmin).
+Once you signed every sysadmin, ask an administrator to add your key to the secrets keystore. They will need to [Add a sysadmin](#add-a-sysadmin).
-Now you are ready to install `pass`:
+Once your fellow admin has finished their job, you are ready to install `pass`:
```bash
sudo apt-get install pass # Debian + Ubuntu
@@ -89,7 +89,33 @@ Finally check that everything works:
pass show deuxfleurs
```
-If you see a listing, you settled!
+If you see a listing, it worked. Last step is to select a shell password for yourself on the cluster you are now in charge of (`prod` or `staging`, at the time of writing).
+
+
+Clone the nixcfg repository:
+
+```
+git clone git@git.deuxfleurs.fr:Deuxfleurs/nixcfg.git
+cd nixcfg
+```
+
+Use the passwd utility to set your shell password:
+```
+./passwd
+> Usage: ./passwd <cluster name> <username>
+> The cluster name must be the name of a subdirectory of cluster/
+```
+
+This commited changes to Deuxfleurs' password store, do verify your modifications before pushing them:
+```
+cd ~/.password-store/deuxfleurs
+git diff
+git push
+```
+
+You should now be able to `ssh` into our infrastructure with a unified shell password. This is explicated in `nixcfg` repo's [README](https://git.deuxfleurs.fr/Deuxfleurs/nixcfg#how-to-operate-a-node). Be cautious, and enjoy!
+
+> With great power comes great responsibility.
---