From 01c28de88dbe92831189e751d2e1522cad9280e2 Mon Sep 17 00:00:00 2001 From: Daniel Barlow Date: Thu, 29 Aug 2024 23:56:20 +0100 Subject: [PATCH] think --- THOUGHTS.txt | 43 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/THOUGHTS.txt b/THOUGHTS.txt index c6f7e1f..b96a3b3 100644 --- a/THOUGHTS.txt +++ b/THOUGHTS.txt @@ -5921,24 +5921,51 @@ Wed Aug 28 21:36:47 BST 2024 new TODO -1) to finish local secrets, we need a service and script that gets the -file, decrypts it and turns it to outputs. Easiest way is to use a -temp file in /run/${name} and then use json-to-tree: there's no -extra risk to having the plaintext json there when it's in the -same place anyway as fstree +[done, neeeds testing] 1) to finish local secrets, we need a service +and script that gets the file, decrypts it and turns it to +outputs. Easiest way is to use a temp file in /run/${name} and then +use json-to-tree: there's no extra risk to having the plaintext json +there when it's in the same place anyway as fstree 1.5) and test the process and write some docs 2) perhaps we should use /run/services/var/${name} instead of /run/${name} to avoid surprise conflicts. or we could use the existing mkstate? +mkstate is setting perms 2751 and I don't know if that's important, +but we want 0700 for secrets - -3) http auth - we have netrc file support "for free", so to speak: +[done] 3) http auth - we have netrc file support "for free", so to speak: fetch-freebsd looks for $NETRC or $HOME/.netrc. If we put the auth tokens in configuration, they will get embedded into the image and this will protect against leaked http server logs but not much else. - Scenario: you have a LAN with untrusted devices on it, plus WAPs which want to get their config from a server. If the server logs leak, other LAN users still can't use the config URL to fetch your PPP auth data. +I think it just comes down to docs/video now + + +-=---- + +docs! + +to cover: + +- outputs + - what for + - how to read? + - one-off read in shell + - monitoring in fennel + - how to write + +- secrets + - sources + - https + - local/tang + - supported services/attributes + - how to add a new attribute + - how to add a service + - how it works (see outputs) + + +think this is mostly to go in Configuration. Is there anything for Admin?