summaryrefslogtreecommitdiff
path: root/README
diff options
context:
space:
mode:
Diffstat (limited to 'README')
-rw-r--r--README19
1 files changed, 13 insertions, 6 deletions
diff --git a/README b/README
index 554f153b..cc027894 100644
--- a/README
+++ b/README
@@ -23,6 +23,8 @@ of which classes and share which configuration. It might be nice to use
reclass[1], but then again a host is configured using simply haskell code,
and so it's easy to factor out things like classes of hosts as desired.
+## bootstrapping and private data
+
To bootstrap propellor on a new host, use: propellor --spin $host
This looks up the git repository's remote.origin.url (or remote.deploy.url
if available) and logs into the host, clones the url (if not already
@@ -39,12 +41,17 @@ in such a file, use: propellor --set $host $field
The field name will be something like 'Password "root"'; see PrivData.hs
for available fields.
-It's often easiest to deploy propellor to a host by cloning a git://
-or http:// repository. To avoid a MITM attack, propellor checks
-that the top commit in the git repository is gpg signed by a
-trusted key, and refuses to deploy it otherwise. This is only done if
-privdata/keyring.gpg exists. To generate it, make a gpg key and
-run something like:
+## using git://... securely
+
+It's often easiest to deploy propellor to a host by cloning a git:// or
+http:// repository rather than by cloning over ssh://. To avoid a MITM
+attack, propellor checks that the top commit in the git repository is gpg
+signed by a trusted gpg key, and refuses to deploy it otherwise.
+
+This is only done when privdata/keyring.gpg exists. To set it up:
+
+gpg --gen-key # only if you don't already have a gpg key
+propellor --add-key $MYKEYID
The keyring.gpg can be checked into git, but to ensure that it's
used from the beginning when bootstrapping, propellor --spin