update meeting notes as per ssh meeting, feedback on design minutes

architecture-docs/2025-03-31-ssh-strategy.md

@@ -39,49 +39,38 @@ some notes on our current status, challenges and ways to address these
 
 ### how to use SSH on deployment
 
-[^temp]: for now, as per the scope of #274
-[^sensitive]: must be password-protected
-[^agent]: thru ssh agent
-[^inaccessible]: fails to handle password protection
-[^propagate]: with password propagated, somehow
-[^hardcoded]: hard-coded
-[^explicit]: password can be passed explicitly
-[^either]: unprotected, or if protected by passing it explicitly
-
 #### user
 
+(note that `desired` columns are focused on the scope of #76, so keeping e.g. security considerations out of scope.)
+
+| context | current | desired |
 |-|-|-|
-| context | current | desired[^temp] |
 | nixops infra | root | root |
 | nixops local | root | root |
 | protected? nixops panel local | root | root |
 | nixops panel deployed | root | root |
-<!-- | tf infra | root | root | -->
-| tf local | personal[^hardcoded] | root |
-| protected? tf panel local | personal[^hardcoded] | root |
-| tf panel deployed | personal[^hardcoded] | root |
+| tf local | personal (hard-coded) | root |
+| protected? tf panel local | personal (hard-coded) | root |
+| tf panel deployed | personal (hard-coded) | root |
+| tf infra | root | root |
 
 #### key
 
-|-|-|-|
 | context | current | desired |
-| nixops infra | personal[^agent] | (protected) personal key |
-| nixops local | personal[^agent] | personal |
-| nixops panel local | personal[^agent] [^inaccessible] | (unprotected) personal key |
-| nixops panel deployed | machine key[^agent] | machine key |
-<!-- | tf infra | n/a | (protected) personal key [^propagate] | -->
-| tf local | personal[^agent] [^explicit] | personal[^either] |
-| tf panel local | personal[^agent] [^explicit] | personal[^either] |
-| tf panel deployed | machine key[^agent] | machine key |
+|-|-|-|
+| nixops infra | personal (thru ssh agent) | (protected) personal key |
+| nixops local | personal (thru ssh agent) | personal |
+| nixops panel local | personal (thru ssh agent, failed to handle password protection) | (unprotected) personal key |
+| nixops panel deployed | machine key (thru ssh agent) | machine key |
+| tf local | personal (thru ssh agent, password can be passed explicitly) | personal (unprotected, or if protected by passing it explicitly) |
+| tf panel local | personal (thru ssh agent, password can be passed explicitly) | personal (unprotected, or if protected by passing it explicitly) |
+| tf panel deployed | machine key (thru ssh agent) | machine key |
+| tf infra | n/a | (protected) personal key (with password propagated, somehow) |
 
-## solutions
+## outcomes
 
-- [x] fix ssh user in #274
-- [ ] fix ssh access on test03
-- [?] mimic strategy used with nixops for TF for ssh access from panel (deployed)
-  - [ ] allow access by machine key? or.. how did nixops have access?
-- [ ] use/allow separate unprotected SSH key for test0x VMs (#272)
-- [ ] ensure whitelisted keys for infra are protected
-- [ ] work out way to use password-protected ssh keys in TF for infra? e.g.:
-  - delegate to ssh agent
-  - pass explicitly
+added sub-tasks to:
+
+- #272
+- #76
+ - #274

meeting-notes/2025-03-31-design-meeting.md

@@ -35,7 +35,7 @@ Present: {thijs,timon}@slik, {koen,kevin,kiara}@procolix
 - koen: we should show those from the panel, but there are different ways to approach this as per an operator's business model
 - thijs: maybe hosts should get to choose how to approach this
 - koen: agree, companies will have limited resources and may prefer to not make things too granular, tho in larger set-ups one may need to be able to better justify how pricing scales
-- thijs: do we always want granular pricing?
+- thijs: do we always want to add a link to the price/value breakdown for every plan?
 - koen: by default yes, if you don't want that, it's open-source so you can fork if you like
 - thijs: thanks - what else should we change for tomorrow?
 - koen: maybe add graphs over time on disk space and number of applications deployed