diff --git a/README.md b/README.md index 9470207..a1214ba 100644 --- a/README.md +++ b/README.md @@ -51,13 +51,13 @@ Check, double-check and triple-check the changes that Terraform wants to apply. This project uses [pre-commit](https://pre-commit.com/) to automatically run some checks before commiting changes. Run `pre-commit install` to install the git hook. Now, pre-commit will run automatically before every commit, hopefully preventing you from commiting stupid things. -### Secrets +## Secrets Secrets are encrypted using [sops](https://github.com/getsops/sops) and [age](https://github.com/FiloSottile/age). The public keys for the age encryption are stored in the repository, so that anyone can encrypt secrets for the repository. Your private key is stored in your password manager and is only available to you. If you want to roll out changes to the actual infrastructure, you need to be able to decrypt the secrets. To do so, your private key needs to be used as a recipient for the age encryption by someone that previously had access to the secrets. If you don't have access to the secrets, ask someone who does. If you don't know who that is, you probably shouldn't be rolling out changes to the infrastructure. -#### Decrypting Secrets +### Decrypting Secrets To be able to decrypt secrets, sops needs to know where your private key is stored. This is done by setting the `SOPS_AGE_KEY_FILE` environment variable to the path of your private key or passing it directly by setting the `SOPS_AGE_KEY` environment variable. @@ -69,7 +69,7 @@ sops --decrypt stuff.enc.yaml > stuff.yaml Terraform is using the [carlpett/sops](https://registry.terraform.io/providers/carlpett/sops/latest/docs) provider to decrypt secrets. This provider is configured to use these environment variables, so you don't need to do anything else. -#### Encrypting Secrets +### Encrypting Secrets To encrypt secrets, you need to have the public keys of the recipients. These are stored in the repository, so you can just use them. The public keys are stored in the `sops-age-recipients.txt` file. To encrypt a secret, load the public keys from this file to your `SOPS_AGE_RECIPIENTS` environment variable and then use sops to encrypt the secret. @@ -78,6 +78,20 @@ export SOPS_AGE_RECIPIENTS="$(cat sops-age-recipients.txt)" sops --encrypt stuff.yaml > stuff.enc.yaml ``` -#### Modifying Secrets +### Modifying Secrets To modify secrets, run `sops stuff.enc.yaml` and edit the file with your default `$EDITOR`. When you save the file, sops will automatically decrypt and re-encrypt the file. Alternatively, you can also use `sops --decrypt stuff.enc.yaml > stuff.yaml` to decrypt the file and then edit it. When you're done, use `sops --encrypt stuff.yaml > stuff.enc.yaml` to re-encrypt the file. Make sure to remove the unencrypted file afterwards. + +## Onboarding new people + +Onboarding new people mostly requires setting up access to the encrypted files and the server. Before onboarding new people, make sure that they are kind of trustworthy and that they know what they are doing. The tools used here and Linux systems in general should not be anything new to them. + +### Secrets access + +To onboard a new person, you need to add their public age key to the repository. To generate one, the person needs to run `age-keygen -o keys.txt` to generate a new key pair. The `keys.txt` file needs to be placed in the age configuration directory for the used system, e.g. `$XDG_CONFIG_HOME/sops/age/keys.txt`, `$HOME/Library/Application Support/sops/age/keys.txt` or `%AppData%\sops\age\keys.txt`. Then, add the public key to the `sops-age-recipients.txt` file in this repository. Commit the changes and push them to the repository. + +Now, some person that already has had access to all the secrets needs to re-encrypt them with the updated sop-age-recipients. To do so, run `sops --rotate --in-place stuff.enc.yaml` for every encrypted file in the repository. Commit the changes and push them to the repository. + +### Server access + +Server access is done using SSH keys. To onboard a new person, a person that already has access needs to add the new person's public SSH key to the server. The public key needs to be added to the `~/.ssh/authorized_keys` file of the `hausmeister` user on the server. The new person can then log in using their private SSH key. diff --git a/aws_key.enc b/aws_key.enc index b4f3eda..a4322fb 100644 --- a/aws_key.enc +++ b/aws_key.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:JEWQ5oDpbR+mIJpTdrMBoacpUxnUA8J1EAU+0H/XIJurHGD6lveZ5FJusjAHcFHCKuG4zblKUi2OQ1gsF9Nnabfugvr7s1KnuQgqOIWqrhKzhdlj6llbNSIs2eM1pN2esZ5b8G1aBueobfHQXNuaU76kavG547nE1Q==,iv:mz0kG3Mfv2nWZIr+pfj1q9QZdda1IoL2HXE75HVQQss=,tag:oIISoRuNbil3/smqAw8otQ==,type:str]", + "data": "ENC[AES256_GCM,data:htWtizDVB1j6596IgQU066rRFNo4KLTfyu6QRT0EaeyBMxAbaAWhgusPb1avDFdBCljlLG2lDR4DzcvjaGdCX5pOQA76dOW9gpKBCstQQsAnF+QT7oxCl4RSLJNQaxCVt8zGaZkiwGPdm1NQkMXqSKQsQmy13+gnVA==,iv:mz0kG3Mfv2nWZIr+pfj1q9QZdda1IoL2HXE75HVQQss=,tag:JnCTYDEUCC8S9Y07P/HqmA==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -8,11 +8,11 @@ "age": [ { "recipient": "age1zwv4tl8ws6ke8wseenq4lrwcck3el2wandlgztefz9v4qdlnwu7saw7g8z", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOEp1ZDZmSEhDN3hMZDRi\ndXZIVStVbXJVL0hzWmRaNWNoTmVhMURWYkhJCjFXQm13NVY5Rkt5K0FsRHk2cmdx\nVUhQOVc0YXhVQm94Rmt5bnhjSjBTKzQKLS0tIEVsRXk4UTJoYVpCYlRFVFhIVW1l\nMklzSC9kS3BwMGU2SWgxM2ltMWh6RDgKFItY+3CFsLHEjUtmANyoQ+lLA7zfESWy\nkU+z8YNEM5rwECJAdZiqp8/nJalSRfeYYtdzw/7dNxsGGelNgibBKA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwelIybmtyeU5waUdhYzJu\nM0pmVFI5bVZDYlB6YUFKS0JDem9WYTMxY2lZCmt5M2pmUEZLZldDV2hNRmNETUVN\nM0RGVEp5cHU5VWpNaUdDK0Jmb0pVdHMKLS0tIHJJWXZxQ0IwQm5qZEpjekNrK3NP\nOS9yQWsxZ2YzZTJIajNhd3NFbC8wNmMKhzTifvzN5C0KOzoxfTY1MOKDaNhyGOds\nivGkhrjzs3mjP446Tk65PTAZJehLj8/+MqbZ3WyQQ5teo/WF2VIzVg==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2024-01-25T17:29:23Z", - "mac": "ENC[AES256_GCM,data:/zhb5hGJLQvfn/1Cqu0CW/Fplq50ohWqif9hIqE9vvhAUp/r7nOSE108dEYA2/mo20yagsf5re9K92zGywPIoPYwKF1Uzm3vWuZnXST5erW3kKuSTVVzt9j3265mWx/uZi+5h+pY4/g1i10qKQV2FF8h1uwOnChSQglLbnlEE2k=,iv:Nqc3G7Ze5dAv/HEbrE1TxJsrtjwxs8A8+okceUy7gC0=,tag:i+mvDXkudii/fGaeISYkmA==,type:str]", + "lastmodified": "2024-01-25T18:34:11Z", + "mac": "ENC[AES256_GCM,data:l6jipTQU86qdTO3OJ9lIrnU7z7pivtne4oC0n2ClMZu2hs02We73/a0+RQuLsWvdiBIL06n+tVD25Dxsr9LYP9jUTPXknrJw21Jb0QncNdxCklSXJ2my+iscao9DBz73h1W6UxAj3IuIYn6FTyKywbgoc5w4QjXP3++E7e/Ly7s=,iv:8eFn6Gw6KwCt8G7BoZBcg3yFtqK3EeDc7AVfVANqdE0=,tag:4250lR3ndO3qW/LkH/bPYg==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.8.1"