colin
b658b93c64
this approach lets me persist the password. persisting /etc/shadow directly wasn't so feasible. populating /etc/shadow at activation time is something nix already does and is easy to plug into. so we store the passwd hash in this repo, but encrypt it to the destination machine's ssh pubkey to add enough entropy that it's not brute-forceable through the public git repo.
40 lines
1.3 KiB
YAML
40 lines
1.3 KiB
YAML
keys:
|
|
- &user_desko_colin age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
|
|
- &user_lappy_colin age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
|
|
- &user_servo_colin age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu
|
|
- &user_moby_colin age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9
|
|
- &host_desko age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v
|
|
- &host_lappy age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn
|
|
- &host_servo age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
|
|
- &host_moby age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt
|
|
creation_rules:
|
|
- path_regex: secrets/universal*
|
|
key_groups:
|
|
- age:
|
|
- *user_desko_colin
|
|
- *user_lappy_colin
|
|
- *user_servo_colin
|
|
- *user_moby_colin
|
|
- *host_desko
|
|
- *host_lappy
|
|
- *host_servo
|
|
- *host_moby
|
|
- path_regex: secrets/servo*
|
|
key_groups:
|
|
- age:
|
|
- *user_desko_colin
|
|
- *user_servo_colin
|
|
- *host_servo
|
|
- path_regex: secrets/desko.yaml$
|
|
key_groups:
|
|
- age:
|
|
- *user_desko_colin
|
|
- *user_lappy_colin
|
|
- *host_desko
|
|
- path_regex: secrets/lappy.yaml$
|
|
key_groups:
|
|
- age:
|
|
- *user_lappy_colin
|
|
- *user_desko_colin
|
|
- *host_lappy
|