diff --git a/doc/README.mdwn b/doc/README.mdwn index 0a32efc..455741f 100644 --- a/doc/README.mdwn +++ b/doc/README.mdwn @@ -1,7 +1,8 @@ This is a configuration management system using Haskell and Git. -Propellor enures that the system it's run against satisfies a list of -properties, taking action as necessary when a property is not yet met. +[Propellor](https://propellor.branchable.com/) enures that the system it's +run against satisfies a list of properties, taking action as necessary when +a property is not yet met. Propellor is configured via a git repository, which typically lives in ~/.propellor/. The git repository contains a config.hs file, @@ -53,45 +54,6 @@ easy to adapt to a system's special needs. hosts. 10. Write some neat new properties and send patches to ! -## security - -Propellor's security model is that the hosts it's used to deploy are -untrusted, and that the central git repository server is untrusted too. - -The only trusted machine is the laptop where you run `propellor --spin` -to connect to a remote host. And that one only because you have a ssh key -or login password to the host. - -Since the hosts propellor deploys are not trusted by the central git -repository, they have to use git:// or http:// to pull from the central -git repository, rather than ssh://. - -So, to avoid a MITM attack, propellor checks that any commit it fetches -from origin is gpg signed by a trusted gpg key, and refuses to deploy it -otherwise. - -That is only done when privdata/keyring.gpg exists. To set it up: - - gpg --gen-key # only if you don't already have a gpg key - propellor --add-key $MYKEYID - -In order to be secure from the beginning, when `propellor --spin` is used -to bootstrap propellor on a new host, it transfers the local git repositry -to the remote host over ssh. After that, the remote host knows the -gpg key, and will use it to verify git fetches. - -Since the propoellor git repository is public, you can't store -in cleartext private data such as passwords, ssh private keys, etc. - -Instead, `propellor --spin $host` looks for a -`~/.propellor/privdata/$host.gpg` file and if found decrypts it and sends -it to the remote host using ssh. This lets a remote host know its own -private data, without seeing all the rest. - -To securely store private data, use: `propellor --set $host $field` -The field name will be something like 'Password "root"'; see PrivData.hs -for available fields. - ## debugging Set `PROPELLOR_DEBUG=1` to make propellor print out all the commands it runs