path: root/doc
diff options
authorJoey Hess2014-04-19 16:34:29 -0400
committerJoey Hess2014-04-19 16:34:29 -0400
commit33d2d65c781c4e7a51a19dc1963ee41507d0af34 (patch)
tree3adf96698a4a6642a1da2516426e2c369bbf5a46 /doc
parent0a20f7b7874dd03ba77e30e22db22a13de282e3c (diff)
Diffstat (limited to 'doc')
1 files changed, 3 insertions, 41 deletions
diff --git a/doc/README.mdwn b/doc/README.mdwn
index 0a32efc0..455741f6 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -1,7 +1,8 @@
This is a configuration management system using Haskell and Git.
-Propellor enures that the system it's run against satisfies a list of
-properties, taking action as necessary when a property is not yet met.
+[Propellor]( enures that the system it's
+run against satisfies a list of properties, taking action as necessary when
+a property is not yet met.
Propellor is configured via a git repository, which typically lives
in ~/.propellor/. The git repository contains a config.hs file,
@@ -53,45 +54,6 @@ easy to adapt to a system's special needs.
10. Write some neat new properties and send patches to <>!
-## security
-Propellor's security model is that the hosts it's used to deploy are
-untrusted, and that the central git repository server is untrusted too.
-The only trusted machine is the laptop where you run `propellor --spin`
-to connect to a remote host. And that one only because you have a ssh key
-or login password to the host.
-Since the hosts propellor deploys are not trusted by the central git
-repository, they have to use git:// or http:// to pull from the central
-git repository, rather than ssh://.
-So, to avoid a MITM attack, propellor checks that any commit it fetches
-from origin is gpg signed by a trusted gpg key, and refuses to deploy it
-That is only done when privdata/keyring.gpg exists. To set it up:
- gpg --gen-key # only if you don't already have a gpg key
- propellor --add-key $MYKEYID
-In order to be secure from the beginning, when `propellor --spin` is used
-to bootstrap propellor on a new host, it transfers the local git repositry
-to the remote host over ssh. After that, the remote host knows the
-gpg key, and will use it to verify git fetches.
-Since the propoellor git repository is public, you can't store
-in cleartext private data such as passwords, ssh private keys, etc.
-Instead, `propellor --spin $host` looks for a
-`~/.propellor/privdata/$host.gpg` file and if found decrypts it and sends
-it to the remote host using ssh. This lets a remote host know its own
-private data, without seeing all the rest.
-To securely store private data, use: `propellor --set $host $field`
-The field name will be something like 'Password "root"'; see PrivData.hs
-for available fields.
## debugging
Set `PROPELLOR_DEBUG=1` to make propellor print out all the commands it runs