forked from fediversity/fediversity
		
	
		
			
				
	
	
		
			32 lines
		
	
	
	
		
			1.4 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			32 lines
		
	
	
	
		
			1.4 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| # Keys
 | |
| 
 | |
| This directory contains the SSH public keys of both contributors to the projects
 | |
| and systems that we administrate. Keys are used both for [secrets](../secrets)
 | |
| decryption and [infra](../infra) management.
 | |
| 
 | |
| Which private keys can be used to decrypt secrets is defined in
 | |
| [`secrets.nix`](../secrets/secrets.nix) as _all the contributors_ as well as the
 | |
| specific systems that need access to the secret in question. Adding a
 | |
| contributor of system's key to a secret requires rekeying the secret, which can
 | |
| only be done by some key that had already access to it. (Alternatively, one can
 | |
| overwrite a secret without knowing its contents.)
 | |
| 
 | |
| In infra management, the systems' keys are used for security reasons; they
 | |
| identify the machine that we are talking to. The contributor keys are used to
 | |
| give access to the `root` user on these machines, which allows, among other
 | |
| things, to deploy their configurations with NixOps4.
 | |
| 
 | |
| ## Adding a contributor
 | |
| 
 | |
| Adding a contributor consists of three steps:
 | |
| 
 | |
| 1. The contributor in question adds a file with their key to the
 | |
|    `./contributors` directory, and opens a pull request with it.
 | |
| 
 | |
| 2. An already-existing contributor uses their keys to [re-key the secrets](../secrets#adding-a-contributor), taking that new key into
 | |
|    account.
 | |
| 
 | |
| 3. An already-existing contributor redeploys the [infrastructure](../infra) to take into
 | |
|    account the new access.
 | |
| 
 | |
| 4. The pull request is accepted and merged.
 |