diff --git a/README b/README index a568d0f..eb490bb 100644 --- a/README +++ b/README @@ -26,51 +26,48 @@ of which classes and share which configuration. It might be nice to use reclass[1], but then again a host is configured using simply haskell code, and so it's easy to factor out things like classes of hosts as desired. +## quick start + +Clone propellor's git repository to your laptop (or whatever). + + + ## security Propellor's security model is that the hosts it's used to deploy are untrusted, and that the central git repository server is untrusted. The only trusted machine is the laptop where you run propellor --spin -to connect to a remote host. +to connect to a remote host. And that one only because you have a ssh key +or login password to the host. -## bootstrapping and private data +Since the hosts propellor deploys are not trusted by the central git +repository, they have to use git:// or http:// to pull from the central +git repository, rather than ssh://. -To bootstrap propellor on a new host, use: propellor --spin $host +So, to avoid a MITM attack, propellor checks that any commit it fetched +from origin is gpg signed by a trusted gpg key, and refuses to deploy it +otherwise. -That clones the git repository to the remote host. -The repository on the remote host will have its origin set to the local git -repository's remote.origin.url (or remote.deploy.url if available). -This way, when propellor is run on the remote host, it can contact -whatever central git repository you're using. - -Private data such as passwords, ssh private keys, etc should not be checked -into a propellor git repository in the clear, unless you want to restrict -access to the repository. Which would probably involve a separate fork -for each host and be annoying. - -Instead, propellor --spin $host looks for a privdata/$host.gpg file and -if found decrypts it and sends it to the host using ssh. To set a field -in such a file, use: propellor --set $host $field -The field name will be something like 'Password "root"'; see PrivData.hs -for available fields. - - - -## using git://... securely - -It's often easiest for a remote host to use a git:// or http:// -url to its origin repository, rather than ssh://. So, to avoid a MITM -attack, propellor checks that any commit it fetched from origin is gpg -signed by a trusted gpg key, and refuses to deploy it otherwise. - -This is only done when privdata/keyring.gpg exists. To set it up: +That is only done when privdata/keyring.gpg exists. To set it up: gpg --gen-key # only if you don't already have a gpg key propellor --add-key $MYKEYID -In order to be secure from the beginning propellor --spin is used +In order to be secure from the beginning, when propellor --spin is used to bootstrap propellor on a new host, it transfers the local git repositry -to the host over ssh. +to the remote host over ssh. After that, the remote host knows the +gpg key, and will use it to verify git fetches. + +Since the propoellor git repository is public, you can't store +in cleartext private data such as passwords, ssh private keys, etc. + +Instead, propellor --spin $host looks for a privdata/$host.gpg file and +if found decrypts it and sends it to the remote host using ssh. This lets +a remote host know its own private data, without seeing all the rest. + +To securely store private data, use: propellor --set $host $field +The field name will be something like 'Password "root"'; see PrivData.hs +for available fields. [1] http://reclass.pantsfullofunix.net/