Open domenkozar opened 8 years ago
Questions:
If our only secret is a Github API token, and it is only used by Snabb Bot, and we can revoke it and issue a new one at any time, then I don't think Blackbox helps us. However, we might want to either setup a minimal secure environment for running Snabb Bot or make sure the secrets are not dangerous.
I am not sure what secrets Hydra uses...?
Could be that running both Hydra and NixOps on the same server is problematic i.e. giving the whole community root access to the CI machine. Could consider separating those somehow.
What secrets do we have? Where do they need to be used?
Currently we have two for Hydra. One to sign built packages and one SSH key pair for Hydra to access build slaves. These keys are now present on eiger
and my machine.
In very soon future we'll need GitHub API token for Snabb Bot as you've said. If that's read-only token we can expose it to public as it's public access anyway.
I would limit access to eiger
to only those working with infrastructure, to avoid any disasters. https://github.com/snabblab/snabblab-nixos/issues/19 would get rid of NixOps
dependency and reduce human error at deployments (I'd really like that as it will improve our QA).
We could just use nixops to copy them on bootstrap: http://permalink.gmane.org/gmane.linux.distributions.nixos/20368
We'll need this very very soon now that davos is running NixOS. cc @eugeneia
Current solution is to store GitHub credentials for SnabbBot on eiger. For now I am satisfied with that. My proposed solution is to have a private repository that is a fork of snabblab-nixos which has a long lived branch that adds the secrets.
I'd do that + encrypting the files and sharing the key only through private conversations.
Encrypting anything seems overkill to me. Just have the secrets in a private repo, give access only to people who have to touch eiger. E.g. repo acess would be the key.
With Hydra and snabb bot we have to store secrets besides the deployment. We don't want them to be exposed, so maybe we should consider encrypting them into git.
https://github.com/StackExchange/blackbox