keys: add contributor kiara (#97)

2025-02-04 12:54:10 +01:00 · 2025-02-04 12:54:10 +01:00 · 1b8be1da27
commit 1b8be1da27
parent 12ab424a89 93e21f188a
10 changed files with 101 additions and 42 deletions
--- a/infra/README.org
+++ b/infra/README.org
@ -1,6 +1,9 @@
 #+title: Infra

 This directory contains the definition of the VMs that host our infrastructure.
+
+* NixOps4
+
 Their configuration can be updated via NixOps4. Run

 #+begin_src sh
@ -26,14 +29,21 @@ Then, given a deployment (eg. ~git~), run
 nixops4 apply <deployment>
 #+end_src

+Alternatively, to run the ~default~ deployment, run
+
+#+begin_src sh
+nixops4 apply
+#+end_src
+
 * Deployments

+- default :: Contains everything
 - ~git~ :: Machines hosting our Git infrastructure, eg. Forgejo and its actions
  runners
 - ~web~ :: Machines hosting our online content, eg. the website or the wiki
 - ~other~ :: Machines without a specific purpose

-* Procolix machines
+* Machines

 These machines are hosted on the Procolix Proxmox instance, to which
 non-Procolix members of the project do not have access. They host our stable
--- a/keys/README.md
+++ b/keys/README.md
@ -0,0 +1,32 @@
+# Keys
+
+This directory contains the SSH public keys of both contributors to the projects
+and systems that we administrate. Keys are used both for [secrets](../secrets)
+decryption and [infra](../infra) management.
+
+Which private keys can be used to decrypt secrets is defined in
+[`secrets.nix`](../secrets/secrets.nix) as _all the contributors_ as well as the
+specific systems that need access to the secret in question. Adding a
+contributor of system's key to a secret requires rekeying the secret, which can
+only be done by some key that had already access to it. (Alternatively, one can
+overwrite a secret without knowing its contents.)
+
+In infra management, the systems' keys are used for security reasons; they
+identify the machine that we are talking to. The contributor keys are used to
+give access to the `root` user on these machines, which allows, among other
+things, to deploy their configurations with NixOps4.
+
+## Adding a contributor
+
+Adding a contributor consists of three steps:
+
+1. The contributor in question adds a file with their key to the
+   `./contributors` directory, and opens a pull request with it.
+
+2. An already-existing contributor rekeys the secrets, taking that new key into
+   account. See [../secrets#adding-a-contributor].
+
+3. An already-existing contributor redeploys the infrastructure to take into
+   account the new access. See [../infra].
+
+4. The pull request is accepted and merged.
--- a/keys/contributors/kiara
+++ b/keys/contributors/kiara
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHTIqF4CAylSxKPiSo5JOPuocn0y2z38wOSsQ1MUaZ2 kiara@procolix.eu
--- a/secrets/README.md
+++ b/secrets/README.md
@ -49,3 +49,8 @@ As an example, let us add a secret in a file “cheeses” whose content should
   service that you are using must be able to read from a file at runtime, and
   if the NixOS default module options do not provide that, you must find a way
   around it.
+
+### Adding a contributor
+
+See [../keys]. Rekeying can be done by running `agenix --rekey` (or `-r` for
+short) in the current directory. This requires access to the secrets.
--- a/secrets/forgejo-database-password.age
+++ b/secrets/forgejo-database-password.age
@ -1,9 +1,13 @@
 age-encryption.org/v1
-> ssh-ed25519 ofQnlg wo0Yxrm+saKiGo4Woo8A+I6fXyLV0OfguJsrRPCc7Ds
-tHJU5jzLj8qFrYzPOdECBC7ugbryxWvF2Lp4lPN7Tyw
-> ssh-ed25519 1MUEqQ jYC4xvbi/9g9yUppVgCcBP6X3WiaqUpBxvmGqezntkk
-jCZxTWxN35Tcc8HLmlWyL+7V48fXBriD+yF35kIMTlk
-> ssh-ed25519 Fa25Dw O7SPXB23UF0uYlkgDNWP9rUHVJAA8RwFqhyPU38Nk1s
-BRemDl0+rszCOQw4G1GYVpxbhb0gMq5pxyguKjncXCk
--- n4IPbDBJwmEGQTlsYxRQSI+9Db14zAd3ji2X248XbsI
-¬¡\ÛµûðÓZ³ù:”ÑûY8`§Àõ5Ã–¿ó`¬¦ÉÍ•=ä¨„A—Ê
+-> ssh-ed25519 ofQnlg G6Wg5L2ohyZZ9NnCAQ03ycAbP7HBa6/wGjNCsNF8nR0
+OCh5tR7JSEZUAd4oDqNlKUznNus/EZrLTjzCNpFfSTM
+-> ssh-ed25519 COspvA Qbs9EvqDbPzMB3ciM9e37gXaCp2OAQ/rG6LzMhdBkwE
+/eBnkgGBhuweXzd2aw1XXoaHc8JbXLrqMqcY8CAqDr4
+-> ssh-ed25519 1MUEqQ jacwM4dAbNezkeMY9FzmGlXtTneLoMUFJtfm6dyNsVA
+AodDTXYSkPoxS807xw+l0WbO9dMau9xp2Y9h0Ir6o8s
+-> ssh-ed25519 Fa25Dw quSJ54tQOBBNtnkc/4dxH1z7SfIfJsr+9iORnT4XXmg
+q//oLKS+eRHwraOEDayxrnLmUJ1Zfahr/ZXvuqYvtzc
+--- NLwY5C6WKTUSVYbmeSUJE1SiM19/rDb3pqMrVUx/l0c
+ÒtÍ
+÷ZÉÇ:¸+pâa£œ¯lÂ¹¿½ò1z 
+ë-y)nZ5û·•Ãhì
--- a/secrets/forgejo-email-password.age
+++ b/secrets/forgejo-email-password.age
@ -1,9 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 ofQnlg prrfNlkyvRBGfJuBx54mKbwAfHL8t6Y+uLmt3jGEvHs
-Sg8zLilpIGA4nq2bQToGgYeGP2sLCeqzKuGF2YzuXdM
-> ssh-ed25519 1MUEqQ daSO/J5Bw59xVlAYcsyIixqsZIolBIUAca9MmhXZoCI
-vjzpcxlKWk3VG2N6MayegZ8sF/2SmJVGBSSef8zAtR8
-> ssh-ed25519 Fa25Dw GsQSZx3mY6RBdZBzYZnn+s4og7/HgXPDAamNh80VNxQ
-1jh4jyVVunbrUfwGduwz7drINatxYG8VWXC1nG2WnG4
--- KMa4vGnd/X4pkboVfhkCeheagMC/T7e1RlqeF/tCheE
-ï»c×àuH¬>¾h5žM!ÑßfK«„‚xr»u*@Ä–&ûÙÄ<>O©˜‘s4™å\w
+-> ssh-ed25519 ofQnlg dmH3/gWbrhiYDSEzfEvwto/7ULietn9DHs7bqNRLuDE
+na8BTt4OCwwwJb/NNkUU1NWZKzsMyW84REcaz0bEX7c
+-> ssh-ed25519 COspvA bk/ixd0gon+sxmhW+OBGY9sRaCVOZ267TELGFkkuUxs
+Y+XnlUVETv4fqA5uGd3VaHIs4mAJQQw+xmGweWPOP70
+-> ssh-ed25519 1MUEqQ /mf6QgPlFqYGdQJHJbe2TEIusTxw0ftsemWst07nW3I
+SLzAtO31Evm/mOheVhMmV6QKoaNG0KYnIUaeThrp3CU
+-> ssh-ed25519 Fa25Dw HzNVxKLwujLVxs37JczAImZwE3CsSVbBbN7yCvvvQQU
+yHh5wFtGdHgCZsuY70VVCeW+q3Tj3pJKclkVFXKZiPU
+--- bi4B3ePG1HS3N5Y3civ4tvTZTk5dERKu4+LJwsN7Los
+ƒ%ŠåÚ;"Úq1v}Öþ¾ü:iÑê]â™ØjA0.ÓeåÇ°q÷À9¢®<7F>
--- a/secrets/forgejo-runner-token.age
+++ b/secrets/forgejo-runner-token.age
@ -1,9 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 ofQnlg zcQ+yhPezo8dh1pwIadOcRCQGFb8B0tHp2zBH/cFpi0
-xGlfqN9MQQYn6u8hWtTgVO0ObGoXVybnRMUf5y/DdjQ
-> ssh-ed25519 1MUEqQ bn5IoZMZzs6FFeHu1c3deHnWEXUmkbcGBu+i5gsyKTE
-FeK8Cd/vbZpe2inZDFNofdcFxbMcs/wntxjwcu0+tE0
-> ssh-ed25519 rJoYaw DCOdl91tl1Y+5LXTaiaHYY+VJsRoGYnId0MElsn4uGA
-4SDCll3OAeqTtMo5uCK7njUiybqUPv+Lk9qqsgWOV6Q
--- Y79OpvgT6uv5Eg1SJqtz0k0FduXuJf5wbTdeDXEvMWs
-4k²†n¸WO¡ñ%{QXgNÅ«P™ªIüsÄÌ<wJ<77>*Ž£únåCužCÂW'Ü¼¡¥¯íãLÞ	—É¨¦suàõ³¶É¹Žyð/
+-> ssh-ed25519 ofQnlg 42Tz44DFTDA7OdAqynPLKsAYJctXivj3wWkkIwYTInM
+pQ5rW2TH4IK/kjcLNOmkLgKMAuD/yzw9nOZn2NZNOv8
+-> ssh-ed25519 COspvA iYtbO/GMmP2g+82xxPrvDsye2p+FpqGpG1a+Fr1jql0
+LYTL9v1c5UcikMIN2ivCLzzAtlKaY7z3PVJW/8OxrLM
+-> ssh-ed25519 1MUEqQ 2JWKsR0gWXjustfZtj5Zg6aEflw+tMJ+Ii0k1FtdKVQ
+lo534OLXItxUMRN/hZ351PLTYVYC9KjXJ8WrlqP4XVM
+-> ssh-ed25519 rJoYaw ePSTkrq9Nxk9kzAZR0O6P2KU8WZ40+/X7gI587WqRhk
+pQC9YAZdnKIyZ6ueN9iM+iAL9fkt0Dzo9WGfhTRABG4
+--- CWPCtLLBJ+OYjuocYoSgOd0r7/nUIewTeMWbQx8MHXQ
+>";ýùc¹LSm’{Òžô/ðšHÂ*"¾ß´.rÍ<72>bVo+WZO^§–~òÀÉ‹”w]1h=™¡ªHÚ·Sî‘tˆÐš,Erg¢—›n
--- a/secrets/wiki-basicauth-htpasswd.age
+++ b/secrets/wiki-basicauth-htpasswd.age
@ -1,9 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 ofQnlg hHpU+STQq9dp0WbcT9xvNV1Ev2ePnTafL+n5meqsrCI
-azxpqTlOHwAyys2vggKZMwoW0p7KvyHWEmpT2JT31aI
-> ssh-ed25519 1MUEqQ eP4gkEEbnb/uAJF7AfOMYsNriR5xWNIHhB7Qz6y77VY
-6OF56XdugUnuLeyuaRbadHfQZx3YqMV51lkbUmkHeCA
-> ssh-ed25519 dgBsjw YVBXOkkr5Mcjk4wVEJi0/20vmcT5baDp8NpfMxlgFFo
-+LZp7R7zKaM/G9pOsy14Es+DRold2mDekOw4NodOgnA
--- +ihHVdjEVvkoiH7dLKkZ5y1fmUs5CNsjxFvSUb3Z0gM
-`f'Ó\ö=›Tpp/jˆ‹ÁéñZV¢âÀ~Ó½#‘ŸÕ=!÷O·*ø¦Û5(f²¹.þª<C3BE>d‡Ú¹’Æ´ÿ¤N=oPòyó·.fx•ÌÚŒ–í'%ÿû¶÷r~“.@ÀŒ
+-> ssh-ed25519 ofQnlg /QZHjQ6K2LrdYy62eg8gnAdavrzDccR/iLlGr5wSrBo
+15uXcdLt4TjPvYFCKmTnQ/iiNtB7NhEYo4dfIRSe7o0
+-> ssh-ed25519 COspvA BAd2Tm1HCkBEMnUsTK/yShK/yWeKjGvXnQ0kq3/ockc
+PSMOXVdrJ+2wm7Yu/aY1drR1q9mN/bRkJVVy32Or1Jg
+-> ssh-ed25519 1MUEqQ wN0GUypdmU8+tM3nrNlr5ljtLKR3Li/vGsFIPa9hznA
+TBV3WXW7FesaYHzI7oe8j1uUAq7VwK0QabL3pnwwUFM
+-> ssh-ed25519 dgBsjw /fT6/NmACig4Rv9QPttrTn5p/ptifT5WeJ3+DyxRHUk
+oUGvejnhu+c6+ta30APDvXHH2+XrZpqk2SmwTf3StvA
+--- UBiWukQgMUU3OG2VTcM32qlf90kE4ipqBaucGUZSZiw
+“ŽæX¿èÇI¢®ÅLØÄêg~kCz^	T}<7D>VV¸À°>Eí‚#UÒ¿B
*ÆÜC¸Dà“òÝ´kQÛú×^%EøÍäLláËTÛnñ²zÌhìn¾FJÑé‰Šˆq
--- a/secrets/wiki-password.age
+++ b/secrets/wiki-password.age
@ -1,10 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 ofQnlg q8Y0C7n4sd7hdZLl1YWBezW60syE8QpEqWIZP0Qv7FA
-fwKB4/lrbx+M9lluVNQAJcC2ZHHkNPkeJD9OI/GgceI
-> ssh-ed25519 1MUEqQ U1zOZ6q9M4XzMdioD0RdwZ9K6czaaK4+LR7uTnBSmH0
-HKypw83VUR9wSJA2BfO7XR10vQnOZkttaL86DcOwwrg
-> ssh-ed25519 dgBsjw 8mrgKvzJOWKYfmF/L4m9R6hKuL49HO8kKPvz8YJsjyc
-dRcj6g247Oh3dmEnNtN7Rjx2qbbcxT+nWtEu5Rmnkj8
--- HzehAstQl9boOJdx1IDvzUw0xXzFFbPlORmxMtHSd9Y
-ÔÏd„ÃH<C383>™¦¨
-f½¸»ÕCè½IM¾Å<C2BE>£ýU;’R™/D¼-Ý¯Šs~Ë"ßTŒõ&äŒºÛ]á
+-> ssh-ed25519 ofQnlg fc4Kx1F73+x5k20ZAr+nwJ2//MKSbW0XrPwidaw3O34
+/sVyDyaHqBqWgB4aEBYCB9n0cVzEWUTdgqKvM4aAzJ8
+-> ssh-ed25519 COspvA pfbE6BX+5WeYtuCfL1kRdnD3tVOV33fEJR4G0EndGBA
+ssywMgaFasyglxpIMjn9xxQViV5srAz8qS7t3aIJjnM
+-> ssh-ed25519 1MUEqQ sqw/QOSTfTBzC2YOEDLzkB51VnGPZcz9JX5JYZ+/hjg
+p2pa5eakbFbNDhOfDZaXvb69ACh/F/2lFDTUQc4WlZ4
+-> ssh-ed25519 dgBsjw QaKOQLbsEpD71x7Hk3ZoZV3/xgxv4+jG1wWiKmrhOik
+wyJP3apJB9jBcAOMK0D72lD7FqCkBEuwX0UyCvqOUJc
+--- J/CTHVy20+V7iS/R0LeeUNzIxE6dU3lnVWAFHyEjbE8
+^TG™ÃÔUë•9óÁ)	]6èn<C3A8>…<CíýÐ|ñ¥€If…Ä1ò³*9ä&MJS–=	TÔÆXéKol{I
--- a/secrets/wiki-smtp-password.age
+++ b/secrets/wiki-smtp-password.age
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHTIqF4CAylSxKPiSo5JOPuocn0y2z38wOSsQ1MUaZ2 kiara@procolix.eu`