forked from Fediversity/Fediversity
Kiara Grouwstra
dd5a6335b1
pass in description fix syntax configure proxmox provider typo add doc comment in existing modules add comment allow insecure proxmox connection for use in dev wip proxmox progress use service configurations moved to machine-independent location wire settings directly without option block terraform adjust cwd try tf on null input update .envrc.sample with sample proxmox credentials
32 lines
1.4 KiB
Markdown
32 lines
1.4 KiB
Markdown
# Keys
|
|
|
|
This directory contains the SSH public keys of both contributors to the projects
|
|
and systems that we administrate. Keys are used both for [secrets](../secrets)
|
|
decryption and [infra](../infra) management.
|
|
|
|
Which private keys can be used to decrypt secrets is defined in
|
|
[`secrets.nix`](../secrets/secrets.nix) as _all the contributors_ as well as the
|
|
specific systems that need access to the secret in question. Adding a
|
|
contributor of system's key to a secret requires rekeying the secret, which can
|
|
only be done by some key that had already access to it. (Alternatively, one can
|
|
overwrite a secret without knowing its contents.)
|
|
|
|
In infra management, the systems' keys are used for security reasons; they
|
|
identify the machine that we are talking to. The contributor keys are used to
|
|
give access to the `root` user on these machines, which allows, among other
|
|
things, to deploy their configurations.
|
|
|
|
## Adding a contributor
|
|
|
|
Adding a contributor consists of three steps:
|
|
|
|
1. The contributor in question adds a file with their key to the
|
|
`./contributors` directory, and opens a pull request with it.
|
|
|
|
2. An already-existing contributor uses their keys to [re-key the secrets](../secrets#adding-a-contributor), taking that new key into
|
|
account.
|
|
|
|
3. An already-existing contributor redeploys the [infrastructure](../infra) to take into
|
|
account the new access.
|
|
|
|
4. The pull request is accepted and merged.
|