forked from fediversity/meta
Add meeting-notes/2024-12-10-decision-making-meeting-dealing-with-secrets.md
Add notes & decision on how to deal with secrets
This commit is contained in:
bjornw
parent
6d4350dae2
commit
8f5f0b141d
1 changed files with 74 additions and 0 deletions
|
|
@ -0,0 +1,74 @@
|
|||
# 'Secret(s)' meeting
|
||||
**Date:** 2024-12-10
|
||||
**Present:** Ronny, Koen, Eric, Richard, Gheorghe, Kevin, Valentin, Robert, Bjorn, Nicolas
|
||||
|
||||
## Goal of this meeting
|
||||
Decide on how we want to deal with secrets, e.g. passwords for systems.
|
||||
|
||||
## Expected end result
|
||||
At the end of this meeting we have a decision on how to continue with secrets
|
||||
|
||||
## Preparations
|
||||
Please read this:
|
||||
https://git.fediversity.eu/Fediversity/meta/src/branch/main/secrets-management.md
|
||||
|
||||
## Decision made:
|
||||
**For now we wil continue with Agenix & keep our options open. We will also ask the security professionals for a sanity check. NLNet offers support from Radically Open Security for this. Ask them for their input & look into the security options (MFA etc). Please include advice on this for NixOps as well.**
|
||||
|
||||
## Actions
|
||||
@ronny will contact Radically Open Security (part of the NLNet offerings). This might take a few weeks as Ronny knows that ROS has a bit of backlog.
|
||||
|
||||
|
||||
### Team members perspectives, thoughts & observations
|
||||
* Koen
|
||||
* Passbolt might be an option as well (https://www.passbolt.com).
|
||||
* Vaultwarden is an api compatible reimplementation of Bitwarden.
|
||||
* If fully automated: don't care, but if broken we need to be able to easily fix this
|
||||
* Vaultwarden is now used at Procolix. Secrets are now handled manually.
|
||||
* Vaultwarden maintenance is a PITA. Without docker it failed, using it now using Docker. Vaultwarden in Nix works, but still a blackbox. Need to get more info on the internals in case something breaks.
|
||||
* Pref solution: doubting: upfront time investment is not a problem. Is API usage by the Nix developers an obstabcle? Barrier as low as possible.
|
||||
* Choose something now, no multiple options.
|
||||
* Nicolas
|
||||
* agenix prefered when talking about Git type of solutions
|
||||
* Big question: git vs application
|
||||
* Pref solution: agenix one person setup, bootstrapping would be easier for me. Might need a bit more time to look into applications API's.
|
||||
* Eric
|
||||
* Secrets for systems & config have diff req vs those for users. One size fits all does not apply here.
|
||||
* Pref solution: the solution with less moving parts.
|
||||
* Offers insights into experiences he has
|
||||
* Valentin
|
||||
* Vaultwarden offers all the features we need.
|
||||
* Passbolt needs to be researched to check for feature parity.
|
||||
* Vaultwarden is already used by Procolix.
|
||||
* Secrets application connects to NixOps via a resource provider
|
||||
* Pref solution: application route.
|
||||
* Domain experts have already thought about this.
|
||||
* Gheorghe:
|
||||
* Backup & restore should be taken into consideration as well. Test restoring with the solution you choose.
|
||||
* Pref solution: keep eye on what to deliver. Nicholas has to deliver, so +1 with Nicolas.
|
||||
* Other solution features need to be taken into account: e.g. MFA etc.
|
||||
* Bjorn
|
||||
* Using an application has the added benefit: users may use this as part of the services offered by Fediversity.
|
||||
* Pref solution: what's the exit plan? Do we have an exit plan? Should check the docs for import/export for both solutions. An application would be my preference.
|
||||
* Ronny
|
||||
* Users usecase
|
||||
* Sysadmin usecase
|
||||
* Systems usecase
|
||||
* TIL Agenix, interesting.
|
||||
* Diff between users facing & systems
|
||||
* Pref solution: for sysadmins/users: app like Vaultwarden & for inter systems git
|
||||
* Robert
|
||||
* In NixOps there's state incl secrets
|
||||
* secrets could also be transferred to the secrets management tool
|
||||
* NixOps can call an app to generate secrets. Resource providers can stored this.
|
||||
* Pref solution: git based, because Robert is more adapted to git.
|
||||
* Kevin
|
||||
* Not so aquintainted with this topic
|
||||
* If stuff fails it would be worthwhile to be able to access it.
|
||||
* Pref solution: Vaultwarden. Api looks pretty good.
|
||||
* Richard:
|
||||
* Worked with Vaultwarden & Bitwarden. Not nec pref.
|
||||
* Only experienced the UI side not the CLI side.
|
||||
* Pref solution: open to both solutions
|
||||
|
||||
|
||||
Loading…
Add table
Reference in a new issue