@@ -37,45 +37,17 @@ cardano-playground organization, then store your access key in
3737 aws_access_key_id = XXXXXXXXXXXXXXXXXXXX
3838 aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
3939
40- ## AGE
40+ ## AGE Admin
4141
42- While cluster secrets are handled using AWS KMS, per machine secrets are
43- handled using sops-nix age. For sops-nix age secrets access, place the
44- SRE cluster secret in ` ~/.age/credentials ` :
42+ While cluster secrets shared by all machines are generally handled using AWS
43+ KMS, per machine secrets are handled using sops-nix age. However, an admin age
44+ key is still typically desired so that all per machine secrets can be decrypted
45+ by an admin or SRE. A new age admin key can be generated with ` age-keygen ` and
46+ this should be placed in ` ~/.age/credentials ` :
4547
4648 # cardano-playground: sre
4749 AGE-SECRET-KEY-***********************************************************
4850
49- If needed, a new secret can be generated with ` age-keygen ` .
50-
51- ## SSH
52-
53- If your credentials are correct, and the cluster is already provisioned with
54- openTofu infrastructure, you will be able to access SSH after creating an
55- ` ./.ssh_config ` using:
56-
57- just save-ssh-config
58-
59- With that you can then get started with:
60-
61- # List machines
62- just list-machines
63-
64- # Ssh to a newly provisioned machine
65- just ssh-bootstrap $MACHINE
66-
67- # Deploy to a newly provisioned machine
68- just apply-bootstrap $MACHINE
69-
70- # Ssh to a machine already deployed
71- just ssh $MACHINE
72-
73- # Deploy to a machine already deployed
74- just apply $MACHINE
75-
76- # Find many other operations recipes to use
77- just --list
78-
7951## Cloudformation
8052
8153We bootstrap our infrastructure using AWS Cloudformation, it creates resources
@@ -116,6 +88,29 @@ Similarly, for monitoring resources:
11688 just tofu grafana plan
11789 just tofu grafana apply
11890
91+ ## SSH
92+
93+ If your credentials are correct, and the cluster is already provisioned with
94+ openTofu infrastructure, you will be able to access SSH after creating an
95+ ` ./.ssh_config ` and nix ip module information using:
96+
97+ just save-ssh-config
98+ just update-ips
99+
100+ With that you can then get started with:
101+
102+ # List machines
103+ just list-machines
104+
105+ # Ssh to a newly provisioned machine
106+ just ssh-bootstrap $MACHINE
107+
108+ # Ssh to a machine already deployed
109+ just ssh $MACHINE
110+
111+ # Find many other operations recipes to use
112+ just --list
113+
119114## Colmena
120115
121116To deploy changes on an OS level, we use the excellent
@@ -133,16 +128,62 @@ To subsequently deploy a machine:
133128
134129## Secrets
135130
136- Secrets are encrypted using [ SOPS] ( https://github.com/getsops/sops ) and [ KMS] ( https://aws.amazon.com/kms/ ) .
131+ Secrets are encrypted using [ SOPS] ( https://github.com/getsops/sops ) with
132+ [ KMS] ( https://aws.amazon.com/kms/ ) and
133+ [ AGE] ( https://github.com/FiloSottile/age ) .
137134
138135All secrets live in ` ./secrets/ `
139136
140- You should be able to edit a KMS or sops age secret using:
137+ KMS encryption is generally used for secrets intended to be consumed by all
138+ machines as it has the benefit over age encryption of not needing re-encryption
139+ every time a machine in the cluster changes. To sops encrypt a secret file
140+ intended for all machines with KMS:
141+
142+ sops --encrypt \
143+ --kms "$KMS" \
144+ --config /dev/null \
145+ --input-type binary \
146+ --output-type binary \
147+ $SECRET_FILE \
148+ > secrets/$SECRET_FILE.enc
149+
150+ rm unencrypted-secret-file
151+
152+ For per-machine secrets, age encryption is preferred, where each secret is
153+ typically encrypted only for the target machine and an admin such as an SRE.
154+
155+ Age public and private keys will be automatically derived for each deployed
156+ machine from the machine's ` /etc/ssh/ssh_host_ed25519_key ` file. Therefore, no
157+ manual generation of private age keys for machines is required and the public
158+ age key for each machine is printed during each ` colmena ` deployment, example:
159+
160+ > just apply machine
161+ ...
162+ machine | sops-install-secrets: Imported /etc/ssh/ssh_host_ed25519_key as age key with fingerprint $AGE_PUBLIC_KEY
163+ ...
164+
165+ These machine public age keys become the basis for access assignment of
166+ per-machine secrets declared in [ .sops.yaml] ( .sops.yaml )
167+
168+ A machine's age public key can also be generated on demand:
169+
170+ just ssh machine -- "'ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub'"
171+
172+ A KMS or age sops secret file can generally be edited using:
141173
142174 sops ./secrets/github-token.enc
143175
144- Or simply decrypt a KMS or sops age secret with:
176+ Or simply decrypt a KMS or age sops secret with:
145177
146178 sops -d ./secrets/github-token.enc
147179
148- See also the ` just sops-<encrypt|decrypt>-binary ` and similar recipes for encrypting or decrypting age binary blobs.
180+ In cases where the decrypted data is in json format, sops args of `--input-type
181+ binary --output-type binary` may also be required to avoid decryption embedded
182+ in json.
183+
184+ See also related sops encryption and decryption recipes:
185+
186+ just sops-decrypt-binary "$FILE" # Decrypt a file to stdout using .sops.yaml rules
187+ just sops-decrypt-binary-in-place "$FILE" # Decrypt a file in place using .sops.yaml rules
188+ just sops-encrypt-binary "$FILE" # Encrypt a file in place using .sops.yaml rules
189+ just sops-rotate-binary "$FILE" # Rotate sops encryption using .sops.yaml rules
0 commit comments