This commit is contained in:
Joey Hess 2014-04-19 16:34:29 -04:00
parent 0a20f7b787
commit 33d2d65c78
1 changed files with 3 additions and 41 deletions

View File

@ -1,7 +1,8 @@
This is a configuration management system using Haskell and Git.
Propellor enures that the system it's run against satisfies a list of
properties, taking action as necessary when a property is not yet met.
[Propellor](https://propellor.branchable.com/) enures that the system it's
run against satisfies a list of properties, taking action as necessary when
a property is not yet met.
Propellor is configured via a git repository, which typically lives
in ~/.propellor/. The git repository contains a config.hs file,
@ -53,45 +54,6 @@ easy to adapt to a system's special needs.
hosts.
10. Write some neat new properties and send patches to <propellor@joeyh.name>!
## security
Propellor's security model is that the hosts it's used to deploy are
untrusted, and that the central git repository server is untrusted too.
The only trusted machine is the laptop where you run `propellor --spin`
to connect to a remote host. And that one only because you have a ssh key
or login password to the host.
Since the hosts propellor deploys are not trusted by the central git
repository, they have to use git:// or http:// to pull from the central
git repository, rather than ssh://.
So, to avoid a MITM attack, propellor checks that any commit it fetches
from origin is gpg signed by a trusted gpg key, and refuses to deploy it
otherwise.
That is only done when privdata/keyring.gpg exists. To set it up:
gpg --gen-key # only if you don't already have a gpg key
propellor --add-key $MYKEYID
In order to be secure from the beginning, when `propellor --spin` is used
to bootstrap propellor on a new host, it transfers the local git repositry
to the remote host over ssh. After that, the remote host knows the
gpg key, and will use it to verify git fetches.
Since the propoellor git repository is public, you can't store
in cleartext private data such as passwords, ssh private keys, etc.
Instead, `propellor --spin $host` looks for a
`~/.propellor/privdata/$host.gpg` file and if found decrypts it and sends
it to the remote host using ssh. This lets a remote host know its own
private data, without seeing all the rest.
To securely store private data, use: `propellor --set $host $field`
The field name will be something like 'Password "root"'; see PrivData.hs
for available fields.
## debugging
Set `PROPELLOR_DEBUG=1` to make propellor print out all the commands it runs