From af9145bd49c115e84b807ae344780791560d931e Mon Sep 17 00:00:00 2001 From: Adrien Date: Thu, 10 Nov 2022 16:59:13 +0100 Subject: added the shell password creation process --- content/operations/acces/pass.md | 34 ++++++++++++++++++++++++++++++---- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/content/operations/acces/pass.md b/content/operations/acces/pass.md index 8193969..357db2e 100644 --- a/content/operations/acces/pass.md +++ b/content/operations/acces/pass.md @@ -4,7 +4,7 @@ description = "Le dépôt des secrets" weight = 10 +++ -We use [pass, 'the standard unix password manager'](https://www.passwordstore.org/), to manage our key store securely at Deuxfleurs. Getting access to our production involves publishing one's GPG key (through Gitea) and importing/verifying/signing every other sysadmin's key, before setting up `pass`. +We use [pass, 'the standard unix password manager'](https://www.passwordstore.org/), to manage our key store securely at Deuxfleurs. Getting access to our production involves publishing one's GPG key (through Gitea) and importing/verifying/signing every other sysadmin's key, before setting up `pass`. Lastly, you will be able to set your shell password on the desired cluster (`prod` or `staging`, at the time of writing). Our process was adapted from [this Medium article](https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592) — thanks, David! @@ -59,9 +59,9 @@ gpg --edit-key E9602264D639FF68 # by key id # gpg> save ``` -Once you signed every sysadmin, ask a sysadmin to add your key to the secrets keystore. They will need to [Add a sysadmin](#add-a-sysadmin). +Once you signed every sysadmin, ask an administrator to add your key to the secrets keystore. They will need to [Add a sysadmin](#add-a-sysadmin). -Now you are ready to install `pass`: +Once your fellow admin has finished their job, you are ready to install `pass`: ```bash sudo apt-get install pass # Debian + Ubuntu @@ -89,7 +89,33 @@ Finally check that everything works: pass show deuxfleurs ``` -If you see a listing, you settled! +If you see a listing, it worked. Last step is to select a shell password for yourself on the cluster you are now in charge of (`prod` or `staging`, at the time of writing). + + +Clone the nixcfg repository: + +``` +git clone git@git.deuxfleurs.fr:Deuxfleurs/nixcfg.git +cd nixcfg +``` + +Use the passwd utility to set your shell password: +``` +./passwd +> Usage: ./passwd +> The cluster name must be the name of a subdirectory of cluster/ +``` + +This commited changes to Deuxfleurs' password store, do verify your modifications before pushing them: +``` +cd ~/.password-store/deuxfleurs +git diff +git push +``` + +You should now be able to `ssh` into our infrastructure with a unified shell password. This is explicated in `nixcfg` repo's [README](https://git.deuxfleurs.fr/Deuxfleurs/nixcfg#how-to-operate-a-node). Be cautious, and enjoy! + +> With great power comes great responsibility. --- -- cgit v1.2.3