From 8f5f0b141d7b97cc1b93ffb987b69300926a443e Mon Sep 17 00:00:00 2001 From: bjornw Date: Tue, 10 Dec 2024 12:00:59 +0100 Subject: [PATCH] Add meeting-notes/2024-12-10-decision-making-meeting-dealing-with-secrets.md Add notes & decision on how to deal with secrets --- ...ion-making-meeting-dealing-with-secrets.md | 74 +++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 meeting-notes/2024-12-10-decision-making-meeting-dealing-with-secrets.md diff --git a/meeting-notes/2024-12-10-decision-making-meeting-dealing-with-secrets.md b/meeting-notes/2024-12-10-decision-making-meeting-dealing-with-secrets.md new file mode 100644 index 0000000..ae409f5 --- /dev/null +++ b/meeting-notes/2024-12-10-decision-making-meeting-dealing-with-secrets.md @@ -0,0 +1,74 @@ +# 'Secret(s)' meeting +**Date:** 2024-12-10 +**Present:** Ronny, Koen, Eric, Richard, Gheorghe, Kevin, Valentin, Robert, Bjorn, Nicolas + +## Goal of this meeting +Decide on how we want to deal with secrets, e.g. passwords for systems. + +## Expected end result +At the end of this meeting we have a decision on how to continue with secrets + +## Preparations +Please read this: +https://git.fediversity.eu/Fediversity/meta/src/branch/main/secrets-management.md + +## Decision made: +**For now we wil continue with Agenix & keep our options open. We will also ask the security professionals for a sanity check. NLNet offers support from Radically Open Security for this. Ask them for their input & look into the security options (MFA etc). Please include advice on this for NixOps as well.** + +## Actions +@ronny will contact Radically Open Security (part of the NLNet offerings). This might take a few weeks as Ronny knows that ROS has a bit of backlog. + + +### Team members perspectives, thoughts & observations +* Koen + * Passbolt might be an option as well (https://www.passbolt.com). + * Vaultwarden is an api compatible reimplementation of Bitwarden. + * If fully automated: don't care, but if broken we need to be able to easily fix this + * Vaultwarden is now used at Procolix. Secrets are now handled manually. + * Vaultwarden maintenance is a PITA. Without docker it failed, using it now using Docker. Vaultwarden in Nix works, but still a blackbox. Need to get more info on the internals in case something breaks. + * Pref solution: doubting: upfront time investment is not a problem. Is API usage by the Nix developers an obstabcle? Barrier as low as possible. + * Choose something now, no multiple options. +* Nicolas + * agenix prefered when talking about Git type of solutions + * Big question: git vs application + * Pref solution: agenix one person setup, bootstrapping would be easier for me. Might need a bit more time to look into applications API's. +* Eric + * Secrets for systems & config have diff req vs those for users. One size fits all does not apply here. + * Pref solution: the solution with less moving parts. + * Offers insights into experiences he has +* Valentin + * Vaultwarden offers all the features we need. + * Passbolt needs to be researched to check for feature parity. + * Vaultwarden is already used by Procolix. + * Secrets application connects to NixOps via a resource provider + * Pref solution: application route. + * Domain experts have already thought about this. +* Gheorghe: + * Backup & restore should be taken into consideration as well. Test restoring with the solution you choose. + * Pref solution: keep eye on what to deliver. Nicholas has to deliver, so +1 with Nicolas. + * Other solution features need to be taken into account: e.g. MFA etc. +* Bjorn + * Using an application has the added benefit: users may use this as part of the services offered by Fediversity. + * Pref solution: what's the exit plan? Do we have an exit plan? Should check the docs for import/export for both solutions. An application would be my preference. +* Ronny + * Users usecase + * Sysadmin usecase + * Systems usecase + * TIL Agenix, interesting. + * Diff between users facing & systems + * Pref solution: for sysadmins/users: app like Vaultwarden & for inter systems git +* Robert + * In NixOps there's state incl secrets + * secrets could also be transferred to the secrets management tool + * NixOps can call an app to generate secrets. Resource providers can stored this. + * Pref solution: git based, because Robert is more adapted to git. +* Kevin + * Not so aquintainted with this topic + * If stuff fails it would be worthwhile to be able to access it. + * Pref solution: Vaultwarden. Api looks pretty good. +* Richard: + * Worked with Vaultwarden & Bitwarden. Not nec pref. + * Only experienced the UI side not the CLI side. + * Pref solution: open to both solutions + +