| 10 Aug 2021 |
 David Arnold (blaggacao) | So maybe yeet --formatting-script ./path/to/gparted-script could be a thing. | 02:35:19 |
 @kraftnix:matrix.org | i essentially have those scripts for a standard VM (expecting /dev/vda) and full disk btrfs/zfs on BIOS/UEFI with LUKS support as well) | 02:35:52 |
| @kraftnix:matrix.org | you could also achieve the same with an ssh activation script, probably? | 02:36:14 |
| David Arnold (blaggacao) | But that's actually would not be any different from doing the same thing via ssh plain. | 02:36:20 |
| David Arnold (blaggacao) | Yeah, maybe out of scope. | 02:36:44 |
| David Arnold (blaggacao) | * Yeah, maybe out of scope (for `yeet`). | 02:36:56 |
| @kraftnix:matrix.org | in scope for bud wrapped yeet? | 02:37:10 |
| @kraftnix:matrix.org | at least my bud if i get around to it, although i shouldn't need to provision machines for a while so it would mostly be for fun | 02:38:14 |
| David Arnold (blaggacao) | Hm, yeah maybe a bud format-host or something. Since the exact command might be a bit pesky to remember | 02:39:06 |
| David Arnold (blaggacao) | * Hm, yeah maybe a `bud format-host` or something. Since the exact `ssh` command with all bells and whistles might be a bit pesky to remember | 02:39:45 |
| David Arnold (blaggacao) | Btw., bud gained a bud burn which basically helps identify the removable media that you want to flash an iso to. | 02:40:53 |
| David Arnold (blaggacao) | Like the /device/sdaX part for dd that you better get right 😁😆 | 02:41:32 |
| David Arnold (blaggacao) | * Like the `/dev/sdaX` part for `dd` that you better get right 😁😆 | 02:41:44 |
| @kraftnix:matrix.org | yeah, also at least for my setup I need some info back from the host, so format-host to create a new ./hosts entry would be quite useful and interactive as a devos install process. some bits of state that are somewhat required if I want to go from nothing to fully deployed during install would be to pregen root ssh keys so agenix secrets can be provisioned during install | 02:41:57 |
| David Arnold (blaggacao) | I still have the vision to boostrap and manage cryptographic host identity through an identity attestor such as Spiffe/spire or step ca | 02:44:10 |
| David Arnold (blaggacao) | So that the host can claim enrollment via a one-time short lived join token. | 02:44:42 |
| David Arnold (blaggacao) | But yeah, one step below that would probably sit the pregen approach. 😁 | 02:46:10 |
| David Arnold (blaggacao) | * But yeah, one step "below" that would probably sit the pregen approach. 😁 | 02:46:30 |
| @kraftnix:matrix.org | I like the pregen approach and use it as much as possible, getting around the chicken and egg problem is not always fun though | 02:47:20 |
| David Arnold (blaggacao) | The only downside: a concrete identity is long lived. | 02:48:07 |
| David Arnold (blaggacao) | But I have no idea how a short-lived but attested identity would be able to work with agenix & co 😁 | 02:48:57 |
| David Arnold (blaggacao) | Like "encrypt to certificate that claims decryption access via some an attribute" | 02:51:14 |
| David Arnold (blaggacao) | * Like "encrypt to certificate that claims decryption access via some cert attribute" | 02:51:27 |
| David Arnold (blaggacao) | Or just against the CommonName? | 02:52:01 |
| David Arnold (blaggacao) | Or the first DNS entry? | 02:52:34 |
| David Arnold (blaggacao) | (which I think is how https currently works?) | 02:52:53 |
| David Arnold (blaggacao) | That would be actually neat, because it a) saves some "rekeying" and b) would allow to declare secrets ahead of time. | 02:54:03 |
| David Arnold (blaggacao) | But I have no idea at all, if that is technically within the realm of possibilities. | 02:54:27 |
| David Arnold (blaggacao) | * That would be actually neat, because it a) saves some "rekeying" and b) would allow to declare secrets ahead of time. (by dns name) | 02:54:47 |
| David Arnold (blaggacao) | It isn't. | 02:57:50 |
