On 05/13/2017 08:29 AM, Kevin A. McGrail wrote:
On 5/12/2017 7:32 PM, Dave Jones wrote:
One thing we need to specify in more detail is the way we are going
to encrypt things in the sysadmins repo. We don't want to put the
encryption details on the wiki per se since it's public.
The only thing I envision in the repo encrypted is passwords.
How exactly do you want them to be stored? I am not familiar with doing
this.
For example, the PowerDNS API key is in the pdns.local.conf file.
I believe documenting the location of the API key in the Wiki is
sufficient.
The local firewall allows port 8081 inbound from any source and the
conf file is restricting which IPs the daemon will respond to. I
would like
to restrict the PowerDNS web server/API to specific source IPs
matching the conf file for dual layers of protection.
Good idea!
We still shouldn't document publicly the PowerDNS API key but where
should we document that? It will be in many scripts on servers that
need to update DNS records so that will be a form of documentation if
we reference the scripts on the wiki.
I don't think there are many servers that update the DNS records. If
there are, we can talk more but I believe it's just a local script on
that one box when we get it working.
Local scripts would be great then we could restrict the API to localhost
and remove port 8081 from the firewall for better security.
I was under the impression when you told me "there were things all over
the place that updated DNS" this could be from other servers too.
In my opinion, referencing scripts and config files on the wiki is
good enough for documenting sensitive information.
Agreed but there are some items like root level passwords to old boxes,
a shared signing key, etc. that can be at least temporarily stored in
svn encrypted.
For example, there is a box called incoming. I have the root password.
But I'd prefer to not use it and switch to sudo and add accounts for you
two.
This would be good to use something like a LastPass shared note. I use
LastPass extensively for personal and work (LastPass Enterprise).
Regards,
KAM