History

Hans van Zijst d117b266c1 Added Hans' SSH key.		2025-02-21 11:37:42 +01:00
..
contributors	Added Hans' SSH key.	2025-02-21 11:37:42 +01:00
systems	Move web server definition to `infra`	2025-01-29 15:34:48 +01:00
default.nix	Optionally remove `.pub` suffix from file names	2024-12-13 12:19:26 +01:00
README.md	docs: fix broken links	2025-02-10 15:05:21 +01:00

README.md

Keys

This directory contains the SSH public keys of both contributors to the projects and systems that we administrate. Keys are used both for secrets decryption and infra management.

Which private keys can be used to decrypt secrets is defined in secrets.nix as all the contributors as well as the specific systems that need access to the secret in question. Adding a contributor of system's key to a secret requires rekeying the secret, which can only be done by some key that had already access to it. (Alternatively, one can overwrite a secret without knowing its contents.)

In infra management, the systems' keys are used for security reasons; they identify the machine that we are talking to. The contributor keys are used to give access to the root user on these machines, which allows, among other things, to deploy their configurations with NixOps4.

Adding a contributor

Adding a contributor consists of three steps:

The contributor in question adds a file with their key to the ./contributors directory, and opens a pull request with it.
An already-existing contributor uses their keys to re-key the secrets, taking that new key into account.
An already-existing contributor redeploys the infrastructure to take into account the new access.
The pull request is accepted and merged.