| 22 May 2022 |
|  @emantor:stratum0.org joined the room. | 08:52:04 |
| 23 May 2022 |
|  Florian joined the room. | 14:19:22 |
| 24 May 2022 |
|  mixis joined the room. | 16:28:49 |
|  @bernardo:matrix.parity.io left the room. | 21:00:22 |
| 25 May 2022 |
 @mic92:nixos.dev | Not sure what the best channel for this question is, but do you have some automation/recommndation on how to bootstrap vault access on new machines? | 10:41:04 |
| 27 May 2022 |
 @grahamc:nixos.org | hardware? | 13:23:17 |
| @grahamc:nixos.org | * bare metal hardware that you own? | 13:23:23 |
| @grahamc:nixos.org | Mic92: ^ | 13:23:49 |
| @grahamc:nixos.org | for people I push them through logging in with google apps, for bare metal hardware I was working on this but didn't end up needing it: https://github.com/grahamc/vault-credential-yubikey | 13:24:45 |
| @grahamc:nixos.org | (but it completely works) | 13:24:56 |
| @mic92:nixos.dev | In reply to @grahamc:nixos.org
Mic92: ^ Let's say something cloud-vendor neutral. I need to be able to migrate if possible. | 13:25:26 |
| @grahamc:nixos.org | I'd use whatever auto auth method you can built-in to vault, trying to remain vendor neutral on that is (imho) missing out on a lot of really good security engineering | 13:26:34 |
| @grahamc:nixos.org | ie: AWS, Azure, GCP, etc. all have built-in automatic authentication mechanisms that I'd take advantage of | 13:27:13 |
| @mic92:nixos.dev | Do you usually deploy vault enterprise? | 13:27:24 |
| @grahamc:nixos.org | no | 13:27:36 |
| @grahamc:nixos.org | I don't have that kind of budget 😓 | 13:27:53 |
| @mic92:nixos.dev | Ok. How do you manage TLS? I just bootstrapped something with cfssl for now | 13:29:11 |
| @mic92:nixos.dev | And also how do you unseal? | 13:29:18 |
| @grahamc:nixos.org | letsencrypt | 13:29:20 |
| @grahamc:nixos.org | https://learn.hashicorp.com/tutorials/vault/autounseal-aws-kms | 13:29:50 |
| @grahamc:nixos.org | this is how we generally integrate vault with our services: https://github.com/DeterminateSystems/nixos-vault-service | 13:30:04 |
| @mic92:nixos.dev | Ah, I thought aws kms unseal is only available in the enterprise edition | 13:30:35 |
| @grahamc:nixos.org | nope | 13:30:40 |
| @mic92:nixos.dev | Which is why I did not use it | 13:30:43 |
| @grahamc:nixos.org | kms unseal + dynamodb as the backend | 13:31:03 |
| @grahamc:nixos.org | makes it relatively easy to deploy using AMIs and not permit SSH access to the vault hosts | 13:31:25 |
| @grahamc:nixos.org | (which is considered best practice for vault servers) | 13:31:58 |
| @mic92:nixos.dev | So to update your fault server, you have to upload a new AMI? | 13:33:50 |
| @mic92:nixos.dev | *vault | 13:33:54 |
| @grahamc:nixos.org | that is the recommended best-practice for managing Vault servers, yeah | 13:34:05 |
