On 5/12/2017 7:32 PM, Dave Jones wrote:
One thing we need to specify in more detail is the way we are going
to encrypt things in the sysadmins repo. We don't want to put the
encryption details on the wiki per se since it's public.
The only thing I envision in the repo encrypted is passwords.
For example, the PowerDNS API key is in the pdns.local.conf file.
I believe documenting the location of the API key in the Wiki is sufficient.
The local firewall allows port 8081 inbound from any source and the
conf file is restricting which IPs the daemon will respond to. I
would like
to restrict the PowerDNS web server/API to specific source IPs
matching the conf file for dual layers of protection.
Good idea!
We still shouldn't document publicly the PowerDNS API key but where
should we document that? It will be in many scripts on servers that
need to update DNS records so that will be a form of documentation if
we reference the scripts on the wiki.
I don't think there are many servers that update the DNS records. If
there are, we can talk more but I believe it's just a local script on
that one box when we get it working.
In my opinion, referencing scripts and config files on the wiki is
good enough for documenting sensitive information.
Agreed but there are some items like root level passwords to old boxes,
a shared signing key, etc. that can be at least temporarily stored in
svn encrypted.
For example, there is a box called incoming. I have the root password.
But I'd prefer to not use it and switch to sudo and add accounts for you
two.
Regards,
KAM