| 27 May 2022 |
 @grahamc:nixos.org | as long as you setup clustering | 13:36:56 |
| @grahamc:nixos.org | I'd recommend spending a few days to a week playing with vault, setting up a lab, doing clustering, failovers, seal / unseal / etc. | 13:37:21 |
 Mic92 (Old) | I probably won't for now. I would be interested if I later on can migrate to such a setup, if required. | 13:38:04 |
| @grahamc:nixos.org | if you're not going to run multiple vault servers then I would probably recommend either using HCP Vault, or recommend against using vault | 13:38:40 |
| @grahamc:nixos.org | it tends to quickly become an incredibly important cornerstone to infrastructure and it can be somewhat catastrophic if it goes down | 13:39:08 |
| Mic92 (Old) | Ok. So I thought that short downtimes can be handled because vault agent is also caching stuff? | 13:40:10 |
| @grahamc:nixos.org | the vault agent caches some stuff but not everything | 13:40:29 |
| @grahamc:nixos.org | and also short down times are not so problematic :) | 13:40:38 |
| @grahamc:nixos.org | and running 3 machines is relatively cheap | 13:40:49 |
| @grahamc:nixos.org | well, caveat | 13:41:04 |
| @grahamc:nixos.org | if this is for personal use, go to town -- I have a single-node vault machine in my basement :P | 13:41:14 |
| Mic92 (Old) | It's a bit more serious in my case I think | 13:41:42 |
| @grahamc:nixos.org | but for work stuff, we take the precautions | 13:41:43 |
| @grahamc:nixos.org | what's it for? | 13:42:06 |
| Mic92 (Old) | For a customer | 13:42:31 |
| @grahamc:nixos.org | unless you're running your own Vault plugins, I would recommend using HCP Vault | 13:42:50 |
| Mic92 (Old) | I might actually want this in future :) | 13:43:33 |
| @grahamc:nixos.org | (I'd never run a vault instance for a customer) | 13:43:39 |
| @grahamc:nixos.org | re cfssl for TLS: trust in public TLS infrastructure is well established as a thing I do in other areas of my threat model, so I didn't feel the need to do so for this one | 13:53:27 |
| @grahamc:nixos.org | * re cfssl for TLS: trust in public TLS infrastructure is well established as a thing I do in other areas of my threat model, so I didn't feel the need to run my own TLS CA for vault | 13:53:40 |
| Mic92 (Old) | My initial motivation was that I could than limit egress to only specific targets if I have not to rely on letsencrypt | 14:14:14 |
|  anthr76 left the room. | 14:37:40 |
| Mic92 (Old) | In reply to @grahamc:nixos.org
the vault agent caches some stuff but not everything Ok. What information does vault not cache? | 14:45:34 |
| @grahamc:nixos.org | I think some secrets are not cachable | 14:45:45 |
| @grahamc:nixos.org | but not sure | 14:45:47 |
| 28 May 2022 |
| Mic92 (Old) changed their display name from Mic92 to Mic92 (Old). | 10:26:54 |
| Mic92 joined the room. | 11:33:20 |
| Mic92 (Old) left the room. | 11:33:26 |
| 29 May 2022 |
|  nospaces joined the room. | 18:25:14 |
| 30 May 2022 |
|  Florian | W3F changed their display name from Florian | OoO -> 29.5. to Florian | W3F. | 09:04:49 |
