1.4 KiB
Keys
This directory contains the SSH public keys of both contributors to the projects and systems that we administrate. Keys are used both for secrets decryption and infra management.
Which private keys can be used to decrypt secrets is defined in
secrets.nix as all the contributors as well as the
specific systems that need access to the secret in question. Adding a
contributor of system's key to a secret requires rekeying the secret, which can
only be done by some key that had already access to it. (Alternatively, one can
overwrite a secret without knowing its contents.)
In infra management, the systems' keys are used for security reasons; they
identify the machine that we are talking to. The contributor keys are used to
give access to the root user on these machines, which allows, among other
things, to deploy their configurations with NixOps4.
Adding a contributor
Adding a contributor consists of three steps:
-
The contributor in question adds a file with their key to the
./contributorsdirectory, and opens a pull request with it. -
An already-existing contributor rekeys the secrets, taking that new key into account. See [../secrets#adding-a-contributor].
-
An already-existing contributor redeploys the infrastructure to take into account the new access. See [../infra].
-
The pull request is accepted and merged.