kevin/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

keys: add contributor kiara (#97)

Browse source
This commit is contained in:
Nicolas Jeannerod 2025-02-04 12:54:10 +01:00
commit 1b8be1da27
Signed by untrusted user: Niols
GPG key ID: 35DB9EC8886E1CB8
10 changed files with 101 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
infra/README.org
View file

@ -1,6 +1,9 @@
#+title: Infra #+title: Infra
This directory contains the definition of the VMs that host our infrastructure. This directory contains the definition of the VMs that host our infrastructure.
* NixOps4
Their configuration can be updated via NixOps4. Run Their configuration can be updated via NixOps4. Run
#+begin_src sh #+begin_src sh
@ -26,14 +29,21 @@ Then, given a deployment (eg. ~git~), run
nixops4 apply <deployment> nixops4 apply <deployment>
#+end_src #+end_src
Alternatively, to run the ~default~ deployment, run
#+begin_src sh
nixops4 apply
#+end_src
* Deployments * Deployments
- default :: Contains everything
- ~git~ :: Machines hosting our Git infrastructure, eg. Forgejo and its actions - ~git~ :: Machines hosting our Git infrastructure, eg. Forgejo and its actions
runners runners
- ~web~ :: Machines hosting our online content, eg. the website or the wiki - ~web~ :: Machines hosting our online content, eg. the website or the wiki
- ~other~ :: Machines without a specific purpose - ~other~ :: Machines without a specific purpose
* Procolix machines * Machines
These machines are hosted on the Procolix Proxmox instance, to which These machines are hosted on the Procolix Proxmox instance, to which
non-Procolix members of the project do not have access. They host our stable non-Procolix members of the project do not have access. They host our stable

32
keys/README.md Normal file
View file

@ -0,0 +1,32 @@
# Keys
This directory contains the SSH public keys of both contributors to the projects
and systems that we administrate. Keys are used both for [secrets](../secrets)
decryption and [infra](../infra) management.
Which private keys can be used to decrypt secrets is defined in
[`secrets.nix`](../secrets/secrets.nix) as _all the contributors_ as well as the
specific systems that need access to the secret in question. Adding a
contributor of system's key to a secret requires rekeying the secret, which can
only be done by some key that had already access to it. (Alternatively, one can
overwrite a secret without knowing its contents.)
In infra management, the systems' keys are used for security reasons; they
identify the machine that we are talking to. The contributor keys are used to
give access to the `root` user on these machines, which allows, among other
things, to deploy their configurations with NixOps4.
## Adding a contributor
Adding a contributor consists of three steps:
1. The contributor in question adds a file with their key to the
`./contributors` directory, and opens a pull request with it.
2. An already-existing contributor rekeys the secrets, taking that new key into
account. See [../secrets#adding-a-contributor].
3. An already-existing contributor redeploys the infrastructure to take into
account the new access. See [../infra].
4. The pull request is accepted and merged.

1
keys/contributors/kiara Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHTIqF4CAylSxKPiSo5JOPuocn0y2z38wOSsQ1MUaZ2 kiara@procolix.eu

5
secrets/README.md
View file

@ -49,3 +49,8 @@ As an example, let us add a secret in a file “cheeses” whose content should
service that you are using must be able to read from a file at runtime, and service that you are using must be able to read from a file at runtime, and
if the NixOS default module options do not provide that, you must find a way if the NixOS default module options do not provide that, you must find a way
around it. around it.
### Adding a contributor
See [../keys]. Rekeying can be done by running `agenix --rekey` (or `-r` for
short) in the current directory. This requires access to the secrets.

20
secrets/forgejo-database-password.age
View file

@ -1,9 +1,13 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 ofQnlg wo0Yxrm+saKiGo4Woo8A+I6fXyLV0OfguJsrRPCc7Ds -> ssh-ed25519 ofQnlg G6Wg5L2ohyZZ9NnCAQ03ycAbP7HBa6/wGjNCsNF8nR0
tHJU5jzLj8qFrYzPOdECBC7ugbryxWvF2Lp4lPN7Tyw OCh5tR7JSEZUAd4oDqNlKUznNus/EZrLTjzCNpFfSTM
-> ssh-ed25519 1MUEqQ jYC4xvbi/9g9yUppVgCcBP6X3WiaqUpBxvmGqezntkk -> ssh-ed25519 COspvA Qbs9EvqDbPzMB3ciM9e37gXaCp2OAQ/rG6LzMhdBkwE
jCZxTWxN35Tcc8HLmlWyL+7V48fXBriD+yF35kIMTlk /eBnkgGBhuweXzd2aw1XXoaHc8JbXLrqMqcY8CAqDr4
-> ssh-ed25519 Fa25Dw O7SPXB23UF0uYlkgDNWP9rUHVJAA8RwFqhyPU38Nk1s -> ssh-ed25519 1MUEqQ jacwM4dAbNezkeMY9FzmGlXtTneLoMUFJtfm6dyNsVA
BRemDl0+rszCOQw4G1GYVpxbhb0gMq5pxyguKjncXCk AodDTXYSkPoxS807xw+l0WbO9dMau9xp2Y9h0Ir6o8s
--- n4IPbDBJwmEGQTlsYxRQSI+9Db14zAd3ji2X248XbsI -> ssh-ed25519 Fa25Dw quSJ54tQOBBNtnkc/4dxH1z7SfIfJsr+9iORnT4XXmg
¬¡\ÛµûðÓZ³ù:”ÑûY8`§Àõ5ÿó`¬¦ÉÍ•=䨄A—Ê q//oLKS+eRHwraOEDayxrnLmUJ1Zfahr/ZXvuqYvtzc
--- NLwY5C6WKTUSVYbmeSUJE1SiM19/rDb3pqMrVUx/l0c
ÒtÍ
÷ZÉÇ:¸+pâa£œ¯l¹¿½ò1z 
ë-y)nZ5û·•Ã

18
secrets/forgejo-email-password.age
View file

@ -1,9 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 ofQnlg prrfNlkyvRBGfJuBx54mKbwAfHL8t6Y+uLmt3jGEvHs -> ssh-ed25519 ofQnlg dmH3/gWbrhiYDSEzfEvwto/7ULietn9DHs7bqNRLuDE
Sg8zLilpIGA4nq2bQToGgYeGP2sLCeqzKuGF2YzuXdM na8BTt4OCwwwJb/NNkUU1NWZKzsMyW84REcaz0bEX7c
-> ssh-ed25519 1MUEqQ daSO/J5Bw59xVlAYcsyIixqsZIolBIUAca9MmhXZoCI -> ssh-ed25519 COspvA bk/ixd0gon+sxmhW+OBGY9sRaCVOZ267TELGFkkuUxs
vjzpcxlKWk3VG2N6MayegZ8sF/2SmJVGBSSef8zAtR8 Y+XnlUVETv4fqA5uGd3VaHIs4mAJQQw+xmGweWPOP70
-> ssh-ed25519 Fa25Dw GsQSZx3mY6RBdZBzYZnn+s4og7/HgXPDAamNh80VNxQ -> ssh-ed25519 1MUEqQ /mf6QgPlFqYGdQJHJbe2TEIusTxw0ftsemWst07nW3I
1jh4jyVVunbrUfwGduwz7drINatxYG8VWXC1nG2WnG4 SLzAtO31Evm/mOheVhMmV6QKoaNG0KYnIUaeThrp3CU
--- KMa4vGnd/X4pkboVfhkCeheagMC/T7e1RlqeF/tCheE -> ssh-ed25519 Fa25Dw HzNVxKLwujLVxs37JczAImZwE3CsSVbBbN7yCvvvQQU
ï»c×àuH¬>¾h5žM!ÑßfK«„xr»u*@Ä–&ûÙÄ<>˜s4™å\w yHh5wFtGdHgCZsuY70VVCeW+q3Tj3pJKclkVFXKZiPU
--- bi4B3ePG1HS3N5Y3civ4tvTZTk5dERKu4+LJwsN7Los
ƒ%ŠåÚ;"Úq1v}Öþ¾ü:iÑê]â™ØjA0eåÇ°q÷À®<7F>

18
secrets/forgejo-runner-token.age
View file

@ -1,9 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 ofQnlg zcQ+yhPezo8dh1pwIadOcRCQGFb8B0tHp2zBH/cFpi0 -> ssh-ed25519 ofQnlg 42Tz44DFTDA7OdAqynPLKsAYJctXivj3wWkkIwYTInM
xGlfqN9MQQYn6u8hWtTgVO0ObGoXVybnRMUf5y/DdjQ pQ5rW2TH4IK/kjcLNOmkLgKMAuD/yzw9nOZn2NZNOv8
-> ssh-ed25519 1MUEqQ bn5IoZMZzs6FFeHu1c3deHnWEXUmkbcGBu+i5gsyKTE -> ssh-ed25519 COspvA iYtbO/GMmP2g+82xxPrvDsye2p+FpqGpG1a+Fr1jql0
FeK8Cd/vbZpe2inZDFNofdcFxbMcs/wntxjwcu0+tE0 LYTL9v1c5UcikMIN2ivCLzzAtlKaY7z3PVJW/8OxrLM
-> ssh-ed25519 rJoYaw DCOdl91tl1Y+5LXTaiaHYY+VJsRoGYnId0MElsn4uGA -> ssh-ed25519 1MUEqQ 2JWKsR0gWXjustfZtj5Zg6aEflw+tMJ+Ii0k1FtdKVQ
4SDCll3OAeqTtMo5uCK7njUiybqUPv+Lk9qqsgWOV6Q lo534OLXItxUMRN/hZ351PLTYVYC9KjXJ8WrlqP4XVM
--- Y79OpvgT6uv5Eg1SJqtz0k0FduXuJf5wbTdeDXEvMWs -> ssh-ed25519 rJoYaw ePSTkrq9Nxk9kzAZR0O6P2KU8WZ40+/X7gI587WqRhk
4k²†n¸WO¡ñ%{QXgNÅ«P™ªIüsÄÌ<wJ<77>*Ž£únåCužCÂW'ܼ¡¥¯íãLÞ —ɨ¦suàõ³¶É¹Žyð/ pQC9YAZdnKIyZ6ueN9iM+iAL9fkt0Dzo9WGfhTRABG4
--- CWPCtLLBJ+OYjuocYoSgOd0r7/nUIewTeMWbQx8MHXQ
>";ýùc¹LSm{Òžô/ðšHÂ*"¾ß´.rÍ<72>bVo+WZO^§~òÀÉ”w]1h=™¡­ªHÚ­·SîtˆÐš,Erg¢—n

18
secrets/wiki-basicauth-htpasswd.age
View file

@ -1,9 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 ofQnlg hHpU+STQq9dp0WbcT9xvNV1Ev2ePnTafL+n5meqsrCI -> ssh-ed25519 ofQnlg /QZHjQ6K2LrdYy62eg8gnAdavrzDccR/iLlGr5wSrBo
azxpqTlOHwAyys2vggKZMwoW0p7KvyHWEmpT2JT31aI 15uXcdLt4TjPvYFCKmTnQ/iiNtB7NhEYo4dfIRSe7o0
-> ssh-ed25519 1MUEqQ eP4gkEEbnb/uAJF7AfOMYsNriR5xWNIHhB7Qz6y77VY -> ssh-ed25519 COspvA BAd2Tm1HCkBEMnUsTK/yShK/yWeKjGvXnQ0kq3/ockc
6OF56XdugUnuLeyuaRbadHfQZx3YqMV51lkbUmkHeCA PSMOXVdrJ+2wm7Yu/aY1drR1q9mN/bRkJVVy32Or1Jg
-> ssh-ed25519 dgBsjw YVBXOkkr5Mcjk4wVEJi0/20vmcT5baDp8NpfMxlgFFo -> ssh-ed25519 1MUEqQ wN0GUypdmU8+tM3nrNlr5ljtLKR3Li/vGsFIPa9hznA
+LZp7R7zKaM/G9pOsy14Es+DRold2mDekOw4NodOgnA TBV3WXW7FesaYHzI7oe8j1uUAq7VwK0QabL3pnwwUFM
--- +ihHVdjEVvkoiH7dLKkZ5y1fmUs5CNsjxFvSUb3Z0gM -> ssh-ed25519 dgBsjw /fT6/NmACig4Rv9QPttrTn5p/ptifT5WeJ3+DyxRHUk
`f'Ó\ö=Tpp/jˆÁéñZV¢âÀ~Ó½#ŸÕ=!÷O·*ø¦Û5(f²¹.þª<C3BE>d‡Ú¹Æ´ÿ¤N=oPòyó·.f­x•ÌÚŒí'%ÿû¶÷r~“.@ÀŒ oUGvejnhu+c6+ta30APDvXHH2+XrZpqk2SmwTf3StvA
--- UBiWukQgMUU3OG2VTcM32qlf90kE4ipqBaucGUZSZiw
“ŽæX¿èÇI¢®ÅLØÄêg~kCz^ T}<7D>VV¸À°>Eí#UÒ¿B *ÆÜC¸Dà“òÝ´kQÛú×^%EøÍäLláËTÛnñ²zÌhìn¾FJÑ鉊ˆq

19
secrets/wiki-password.age
View file

@ -1,10 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 ofQnlg q8Y0C7n4sd7hdZLl1YWBezW60syE8QpEqWIZP0Qv7FA -> ssh-ed25519 ofQnlg fc4Kx1F73+x5k20ZAr+nwJ2//MKSbW0XrPwidaw3O34
fwKB4/lrbx+M9lluVNQAJcC2ZHHkNPkeJD9OI/GgceI /sVyDyaHqBqWgB4aEBYCB9n0cVzEWUTdgqKvM4aAzJ8
-> ssh-ed25519 1MUEqQ U1zOZ6q9M4XzMdioD0RdwZ9K6czaaK4+LR7uTnBSmH0 -> ssh-ed25519 COspvA pfbE6BX+5WeYtuCfL1kRdnD3tVOV33fEJR4G0EndGBA
HKypw83VUR9wSJA2BfO7XR10vQnOZkttaL86DcOwwrg ssywMgaFasyglxpIMjn9xxQViV5srAz8qS7t3aIJjnM
-> ssh-ed25519 dgBsjw 8mrgKvzJOWKYfmF/L4m9R6hKuL49HO8kKPvz8YJsjyc -> ssh-ed25519 1MUEqQ sqw/QOSTfTBzC2YOEDLzkB51VnGPZcz9JX5JYZ+/hjg
dRcj6g247Oh3dmEnNtN7Rjx2qbbcxT+nWtEu5Rmnkj8 p2pa5eakbFbNDhOfDZaXvb69ACh/F/2lFDTUQc4WlZ4
--- HzehAstQl9boOJdx1IDvzUw0xXzFFbPlORmxMtHSd9Y -> ssh-ed25519 dgBsjw QaKOQLbsEpD71x7Hk3ZoZV3/xgxv4+jG1wWiKmrhOik
ÔÏd„ÃH<C383>™¦¨ wyJP3apJB9jBcAOMK0D72lD7FqCkBEuwX0UyCvqOUJc
f½¸»ÕCè½IM¾Å<C2BE>£ýU;R™/D¼-ݯŠs~Ë"ßTŒõ&䌺Û]á --- J/CTHVy20+V7iS/R0LeeUNzIxE6dU3lnVWAFHyEjbE8
^TG™ÃÔUë•9óÁ) ]6èn<C3A8>…<CíýÐ|ñ¥€If…Ä1ò³*9ä&MJS= TÔÆXéKol{I

BIN
secrets/wiki-smtp-password.age
View file

Binary file not shown.