From 365f1fdeb6723aa4d1087de98b48c873443272a3 Mon Sep 17 00:00:00 2001 From: marion Date: Sat, 16 Mar 2024 17:21:49 +0000 Subject: =?UTF-8?q?Update=20Op=C3=A9rations=20=E2=80=9Cpass=E2=80=9D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- content/operations/pass.md | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) (limited to 'content') diff --git a/content/operations/pass.md b/content/operations/pass.md index 231dc6c..1b3c122 100644 --- a/content/operations/pass.md +++ b/content/operations/pass.md @@ -1,11 +1,12 @@ --- -title: "Le dépôt des secrets" -description: "Le dépôt des secrets" +title: Le dépôt des secrets +description: Le dépôt des secrets weight: 10 +draft: false +date: 2024-03-16 extra: - parent: 'operations/acces.md' + parent: operations/acces.md --- - We use [pass, 'the standard unix password manager'](https://www.passwordstore.org/), to manage our key store securely at Deuxfleurs. Getting access to our production involves publishing one's GPG key (through Gitea) and importing/verifying/signing every other sysadmin's key, before setting up `pass`. Lastly, you will be able to set your shell password on the desired cluster (`prod` or `staging`, at the time of writing). Our process was adapted from [this Medium article](https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592) — thanks, David! @@ -18,21 +19,20 @@ If you do not already have one, you can generate a new one with: ```bash gpg2 --expert --full-gen-key # Personnaly I use `9) ECC and ECC`, `1) Curve 25519`, and `5y` +# Pour le nom, il vous identifie vous, vous pouvez l'utiliser pour signer des mails par exemple. ``` (Il se peut que vous n'ayez que la commande `gpg` sur votre PC parce qu'il est moderne. Faites `gpg --version` pour vérifier.) In any case, you need to export your public key. Upload the output (public key) of the following command to [your Gitea account](https://git.deuxfleurs.fr/user/settings/keys). - ```bash gpg2 --export --armor ``` It is now publicly accessible at `https://git.deuxfleurs.fr/.gpg` -### Inform the other sysadmins that you have published your key - +### Inform the other sysadmins that you have published your key Download the `secrets` repository: @@ -42,24 +42,21 @@ cd ~/.password-store git clone git@git.deuxfleurs.fr:Deuxfleurs/secrets.git deuxfleurs ``` - -Get the ``, which you can get with `gpg --list-keys --keyid-format 0xLONG `. -It's in the format `0x0123456789ABCDEF`. +Get the ``, which you can get with `gpg --list-keys --keyid-format 0xLONG` . +It's in the format `0x0123456789ABCDEF`. Beware to take the key of your main key (line begins with `pub`, not with `sub`). -* Add your key address to the `Import keys` section of the repo's `README.md`: +- Add your key address to the `Import keys` section of the repo's `README.md`: ``` curl https://git.deuxfleurs.fr/.gpg | gpg2 --import # ``` -* Also add your `` to the `.gpg-id` file. - -* In [your Gitea settings](https://git.deuxfleurs.fr/user/settings), ensure your User visibility is `Public`. +- Also add your `` to the `.gpg-id` file. +- In [your Gitea settings](https://git.deuxfleurs.fr/user/settings), ensure your User visibility is `Public`. Now `git commit/pull/push`, and tell yo' friends that you're all set. - ### Import/verify/sign every other sysadmin's key into your keychain You now need to import and sign every other sysadmin's GPG key. For example, import Quentin's key to your keychain as follow: @@ -73,9 +70,8 @@ gpg2 --list-keys # sub cv25519/0xA40574404FF72851 2022-04-19 [E] [expire : 2027-04-18] ``` -> How to read this snippet: -> - the key id: `E9602264D639FF68` -> - the key fingerprint: `8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68` +> How to read this snippet:- the key id: `E9602264D639FF68` +> - the key fingerprint: `8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68` To perform the check, you need another communication channel (ideally physically, otherwise through the phone, Matrix if you already trusted the other person, or else). Compare the signature you read with the sysadmin's. If they match, you good. @@ -104,7 +100,7 @@ brew install pass # macOS pkg install password-store # FreeBSD ``` -*Go to [passwordstore.org](https://www.passwordstore.org/) for more information about pass*. +_Go to for more information about pass_. Finally check that everything works: @@ -114,7 +110,6 @@ pass show deuxfleurs If you see a listing, it worked. Last step is to select a shell password for yourself on the cluster you are now in charge of (`prod` or `staging`, at the time of writing). - Clone the nixcfg repository: ``` @@ -123,6 +118,7 @@ cd nixcfg ``` Use the passwd utility to set your shell password: + ``` ./passwd > Usage: ./passwd @@ -130,6 +126,7 @@ Use the passwd utility to set your shell password: ``` This commited changes to Deuxfleurs' password store, do verify your modifications before pushing them: + ``` cd ~/.password-store/deuxfleurs git diff @@ -166,7 +163,6 @@ pass insert deuxfleurs/backup_nextcloud ## Add a sysadmin - Make sure that you trust the keys of your new sysadmin: ``` @@ -211,3 +207,7 @@ mkdir -p ~/.password-store cd ~/.password-store git clone https://git.example.com/org/repo.git deuxfleurs ``` + + + + -- cgit v1.2.3