!UKDpaKNNsBpOPfLWfX:zhaofeng.li

Colmena

297 Members
A simple, stateless NixOS deployment tool - https://github.com/zhaofengli/colmena101 Servers

Load older messages


SenderMessageTime
10 Feb 2022
@winterqt:nixos.devWinter (she/her)
In reply to @buckley310:matrix.org
At work I use a smartcard to deploy stuff, and my computer never sees the private key. It can also be done with yubikeys since the can emulate smartcards
But for YubiKeys to be secure, you need to set it to require touch for every signing action -- which would get extremely annoying with how often Colmena invokes ssh. Of course, you could use ControlMaster, but what if you're deploying 40 hosts? You'd still need to touch it 40 times 😅
04:20:08
@buckley310:matrix.orgBuckleyyeah, i dont do that lol04:20:40
@zhaofeng:zhaofeng.liZhaofeng Li* An alternative solution is with short-lived SSH certificates, signed by an SSH CA that relies on some other authentication methods (OIDC, GitHub, etc.). Instead of allowing specific keys, the servers will simply trust the CA.04:21:30
@zhaofeng:zhaofeng.liZhaofeng Li That said, some "hardware crypto wallet"-like thing would definitely be cool 04:22:08
@buckley310:matrix.orgBuckleyI just unlock the smartcard and it works until i yank it out04:22:10
@zhaofeng:zhaofeng.liZhaofeng Li... perhaps a little LCD display that shows you the hostname and the command04:23:23
@winterqt:nixos.devWinter (she/her)
In reply to @buckley310:matrix.org
I just unlock the smartcard and it works until i yank it out
~~but then random software can use it~~
04:26:22
@buckley310:matrix.orgBuckleyits not perfect04:26:47
@winterqt:nixos.devWinter (she/her)seems like no solution is04:42:50
@winterqt:nixos.devWinter (she/her) which is what i'm complaining about, lol
isn't ideal but it's what we have, ig
04:43:10
@winterqt:nixos.devWinter (she/her)the SSH certificate thing looks cool, i'll definitely look into it -- how do you handle stuff like Git forges who won't trust CAs, tho? do you just have a key for those?04:44:23
@zhaofeng:zhaofeng.liZhaofeng LiFor the random software problem, perhaps we need stronger compartmentization between applications, like in Qubes and lately SpectrumOS (with Nix)04:44:48
@zhaofeng:zhaofeng.liZhaofeng Li
In reply to @winterqt:nixos.dev
the SSH certificate thing looks cool, i'll definitely look into it -- how do you handle stuff like Git forges who won't trust CAs, tho? do you just have a key for those?
True, for those use cases you would still need a regular key 🙁
04:45:38
@winterqt:nixos.devWinter (she/her)how well does Vault work as a CA, btw?04:56:30
@zhaofeng:zhaofeng.liZhaofeng Li
In reply to @winterqt:nixos.dev
how well does Vault work as a CA, btw?
Fairly usable I'd say. The user experience is slightly awkward for the client certificate, because you pretty much need a helper script or alias to avoid typing the long vault ssh ... or vault login && vault write ... && ssh incantation
05:10:23
@zhaofeng:zhaofeng.liZhaofeng LiI followed this blog post for the setup: https://brian-candler.medium.com/using-hashicorp-vault-as-an-ssh-certificate-authority-14d713673c9a05:11:35
@winterqt:nixos.devWinter (she/her)hm, neat.13:33:51
@github:maunium.net@github:maunium.net [zhaofengli/colmena] pinpox opened issue #57: Option to remove secrets

Would it be possible to add some mechanism to remove secrets when they are removed from the configuration?

Consider two configured secrets like this:

            keys = {
              "test-secret1" = {
                keyCommand = [ "pass" "show" "nixos-secrets/ahorn/borg/passphrase" ];
                destDir = "/var/src/colmena-keys"; 
              };
          };
14:01:20
@github:maunium.net@github:maunium.net [zhaofengli/colmena] pinpox edited issue #57: Option to remove secrets 14:03:44
@github:maunium.net@github:maunium.net [zhaofengli/colmena] pinpox edited issue #57: Option to remove secrets 14:06:04
@pinpox:matrix.orgpinpox joined the room.14:16:35
@pinpox:matrix.orgpinpoxWhops, sorry for the "edited issue.." spam. 14:17:32
@pinpox:matrix.orgpinpoxHey, does anyone have a solution on how to make sure secrets no longer present in deployment.keys are deleted?16:03:29
@pinpox:matrix.orgpinpoxCan I use system.activationScripts for it?16:03:42
@janejasperous:one.ems.hostJane JasperousMaybe you can deploy into tmpfs and use impermanence module16:11:53
@zhaofeng:zhaofeng.liZhaofeng Li
In reply to @pinpox:matrix.org
Can I use system.activationScripts for it?
I commented with a potential solution.
18:57:37
@zhaofeng:zhaofeng.liZhaofeng Li
In reply to @pinpox:matrix.org
Whops, sorry for the "edited issue.." spam.
No worries - I'm planning to replace the bot regardless since it's pretty spammy even in the normal case (3 link previews for a message)
18:58:17
11 Feb 2022
@pinpox:matrix.orgpinpox Zhaofeng Li: Just saw it, thank you! 07:43:22
@pinpox:matrix.orgpinpoxThat is a possible solution, but wouldn't it be nice to have an option to execute commands preo/post deployment anyways? I imagine that could come in handy regardless of secrets07:44:10
@cw:kernelpanic.cafeChuck Winter joined the room.07:51:13

There are no newer messages yet.


Back to Room ListRoom Version: 6