diff options
| author | Joey Hess <joey@kitenet.net> | 2014-11-18 21:18:26 -0400 |
|---|---|---|
| committer | Joey Hess <joey@kitenet.net> | 2014-11-18 21:18:26 -0400 |
| commit | aa3f31940b544e528a5eb3d2e9825a703a8b5013 (patch) | |
| tree | 0a14bfdf3be969f6029fb54f0c95e2e06ae7d40d /doc | |
| parent | a19f01a508747fb1f04849616422d1530e8ec2da (diff) | |
| parent | b964b4836321832ad8d3be7268fd3af9ed8f5ea8 (diff) | |
Merge branch 'joeyconfig'
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/centralized_git_repository.mdwn | 8 | ||||
| -rw-r--r-- | doc/security.mdwn | 16 |
2 files changed, 15 insertions, 9 deletions
diff --git a/doc/centralized_git_repository.mdwn b/doc/centralized_git_repository.mdwn index f47aa92e..46cf89e2 100644 --- a/doc/centralized_git_repository.mdwn +++ b/doc/centralized_git_repository.mdwn @@ -4,7 +4,13 @@ directly to the host. This makes it easy to get started with propellor. A central git repository allows hosts to run propellor from cron and pick up any updates you may have pushed. This is useful when managing several -hosts with propellor. +hosts with propellor. + +The central repository does not need to be trusted; it can be hosted +anywhere, and propellor will only accept verified gpg signed git commits +from it. See [[security]] for details, but this means you can put it +on github without github being able to 0wn your propellor driven hosts, for +example. You can add a central git repository to your existing propellor setup easily: diff --git a/doc/security.mdwn b/doc/security.mdwn index 7edf25d1..831b2b41 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -6,13 +6,13 @@ The only trusted machine is the laptop where you run `propellor --spin` to connect to a remote host. And that one only because you have a ssh key or login password to the host. -Since the hosts propellor deploys are not trusted by the central git -repository, they have to use git:// or http:// to pull from the central -git repository, rather than ssh://. +Since the hosts propellor deploys do not trust the central git repository, +and it doesn't trust them, it's normal to use git:// or http:// to pull +from the central git repository, rather than ssh://. -So, to avoid a MITM attack, propellor checks that any commit it fetches -from origin is gpg signed by a trusted gpg key, and refuses to deploy it -otherwise. +Since propellor doesn't trust the central git repository, it checks +that any commit it fetches from it is gpg signed by a trusted gpg key, +and refuses to deploy it otherwise. That is only done when privdata/keyring.gpg exists. To set it up: @@ -21,8 +21,8 @@ That is only done when privdata/keyring.gpg exists. To set it up: In order to be secure from the beginning, when `propellor --spin` is used to bootstrap propellor on a new host, it transfers the local git repositry -to the remote host over ssh. After that, the remote host knows the -gpg key, and will use it to verify git fetches. +to the remote host over ssh. After that, the host knows the gpg key, and +will use it to verify git fetches. Since the propoellor git repository is public, you can't store in cleartext private data such as passwords, ssh private keys, etc. |