summaryrefslogtreecommitdiff
path: root/README
diff options
context:
space:
mode:
authorJoey Hess2014-03-31 19:12:27 -0400
committerJoey Hess2014-03-31 19:12:27 -0400
commit633778995c7d0c00c9896c19a9e02f0d7339c799 (patch)
treefb35deb6caa7197117c1a0637b0a29ae96c84241 /README
parent14d56a303c62e70a7639357c2551a446b1c17556 (diff)
propellor spin
Diffstat (limited to 'README')
-rw-r--r--README61
1 files changed, 29 insertions, 32 deletions
diff --git a/README b/README
index a568d0f5..eb490bb9 100644
--- a/README
+++ b/README
@@ -26,51 +26,48 @@ of which classes and share which configuration. It might be nice to use
reclass[1], but then again a host is configured using simply haskell code,
and so it's easy to factor out things like classes of hosts as desired.
-## security
-
-Propellor's security model is that the hosts it's used to deploy are
-untrusted, and that the central git repository server is untrusted.
-
-The only trusted machine is the laptop where you run propellor --spin
-to connect to a remote host.
-
-## bootstrapping and private data
+## quick start
-To bootstrap propellor on a new host, use: propellor --spin $host
+Clone propellor's git repository to your laptop (or whatever).
-That clones the git repository to the remote host.
-The repository on the remote host will have its origin set to the local git
-repository's remote.origin.url (or remote.deploy.url if available).
-This way, when propellor is run on the remote host, it can contact
-whatever central git repository you're using.
-Private data such as passwords, ssh private keys, etc should not be checked
-into a propellor git repository in the clear, unless you want to restrict
-access to the repository. Which would probably involve a separate fork
-for each host and be annoying.
-Instead, propellor --spin $host looks for a privdata/$host.gpg file and
-if found decrypts it and sends it to the host using ssh. To set a field
-in such a file, use: propellor --set $host $field
-The field name will be something like 'Password "root"'; see PrivData.hs
-for available fields.
+## security
+Propellor's security model is that the hosts it's used to deploy are
+untrusted, and that the central git repository server is untrusted.
+The only trusted machine is the laptop where you run propellor --spin
+to connect to a remote host. And that one only because you have a ssh key
+or login password to the host.
-## using git://... securely
+Since the hosts propellor deploys are not trusted by the central git
+repository, they have to use git:// or http:// to pull from the central
+git repository, rather than ssh://.
-It's often easiest for a remote host to use a git:// or http://
-url to its origin repository, rather than ssh://. So, to avoid a MITM
-attack, propellor checks that any commit it fetched from origin is gpg
-signed by a trusted gpg key, and refuses to deploy it otherwise.
+So, to avoid a MITM attack, propellor checks that any commit it fetched
+from origin is gpg signed by a trusted gpg key, and refuses to deploy it
+otherwise.
-This is only done when privdata/keyring.gpg exists. To set it up:
+That is only done when privdata/keyring.gpg exists. To set it up:
gpg --gen-key # only if you don't already have a gpg key
propellor --add-key $MYKEYID
-In order to be secure from the beginning propellor --spin is used
+In order to be secure from the beginning, when propellor --spin is used
to bootstrap propellor on a new host, it transfers the local git repositry
-to the host over ssh.
+to the remote host over ssh. After that, the remote host knows the
+gpg key, and will use it to verify git fetches.
+
+Since the propoellor git repository is public, you can't store
+in cleartext private data such as passwords, ssh private keys, etc.
+
+Instead, propellor --spin $host looks for a privdata/$host.gpg file and
+if found decrypts it and sends it to the remote host using ssh. This lets
+a remote host know its own private data, without seeing all the rest.
+
+To securely store private data, use: propellor --set $host $field
+The field name will be something like 'Password "root"'; see PrivData.hs
+for available fields.
[1] http://reclass.pantsfullofunix.net/