think
This commit is contained in:
parent
5db9d7269e
commit
47e96ddc15
73
THOUGHTS.txt
73
THOUGHTS.txt
@ -5421,3 +5421,76 @@ gateway with the pppoe service instead of building it _in_ the profile,
|
||||
we can have gateways with other-than-pppoe for the wan
|
||||
|
||||
(for a straight lte uplink, could pass the wwan interface as wan)
|
||||
|
||||
Fri Aug 2 20:18:38 BST 2024
|
||||
|
||||
Some thoughts about secrets
|
||||
|
||||
1) clevis/tang is a mechanism to have encrypted local secrets that
|
||||
can't be decrypted unless a particular network host is present. This
|
||||
means we can reboot it unattended without having plaintext on the device,
|
||||
but it doesn't address getting the secrets onto the device.
|
||||
|
||||
when is this useful?
|
||||
|
||||
- someone steals the router and doesn't steal the tang server, they can't have my secrets
|
||||
|
||||
when not?
|
||||
|
||||
- someone compromises the machine, gets root, and looks in /run
|
||||
- doesn't address key rotation
|
||||
|
||||
2) hashicorp vault or something like it can download secrets from
|
||||
a networked server - then we just plonk them in /run. But I don't want
|
||||
to pay for vault itself, so "something like" are the key words there
|
||||
|
||||
3) Is sops relevant here? could we keep secrets in a big sops json/yaml
|
||||
and serve the decrypted file over https?
|
||||
|
||||
==== so we have a plan, I think =====
|
||||
|
||||
1) a secrets service that retrieves the secrets from some directory1
|
||||
that isn't /nix/store and copies them to its outputs with minimal
|
||||
permissions. Services that need secrets can depend on the secrets
|
||||
service and be restarted when secrets change
|
||||
|
||||
1b) a service that monitors changes in secrets (e.g. using inotify
|
||||
on /run/services/outputs/foo/bar) potentially doesn't need to restart
|
||||
when the secrets change, so how do we know which ones to pass over?
|
||||
This is a performance optimisation not a correctness issue
|
||||
|
||||
2) as (1) but the secrets are encrypted and we use clevis to decrypt
|
||||
|
||||
3) a secrets service that fetches the decrypted secrets as a JSON file
|
||||
using HTTPS. We can use this ourselves with SOPS and it will be easy
|
||||
to adapt for Vault users.
|
||||
|
||||
(What about fetching _encrypted_ secrets with https and then
|
||||
decrypting locally? I don't think we can do this with clevis because
|
||||
the machine that encypts has to be the machine that decrypts (ICBW).
|
||||
|
||||
Sat Aug 3 22:28:24 BST 2024
|
||||
|
||||
It would be useful maybe if the secrets could survive a reboot. Fetch
|
||||
using HTTPS and then store locally using clevis. But actually all that
|
||||
does is mean we've shifted from "can see the secrets server" to "can
|
||||
see the tangd server" so maybe not especially useful
|
||||
|
||||
* We can't put passwords in the secrets unless we have a service that
|
||||
will change /etc/passwd if they change *
|
||||
|
||||
we need a service that does the HTTPS call, parses the JSON response
|
||||
and writes it as nested subdirectories
|
||||
|
||||
can we encode permissions and ownership into the file? should we?
|
||||
will some other secret store (say, Vault) know how to encode permissions
|
||||
in the same way as we arbitrarily choose to?
|
||||
|
||||
|
||||
Tue Aug 6 18:41:16 BST 2024
|
||||
|
||||
I would like to know
|
||||
|
||||
- why the docs aren't being built
|
||||
- min-copy-closure error: "cpio: unsupported cpio format, use newc or crc"
|
||||
- can we avoid rebuilding this crapload of build packages?
|
||||
|
||||
Loading…
Reference in New Issue
Block a user