This documents security policies and practices for this repository.
If you encounter a security-related issue in the repo, contact one of the administrators. You can find their names in the CODEOWNERS file.
Whenever a key is compromised, or a user is off-boarded, do the following:
- Remove their
agepublic key fromcomponents/secrets/config.toml. - If any, remove their Wireguard public key from
components/secrets/wireguard. - If any, remove their SSH public key from
components/secrets/ssh. - Re-encrypt all repository secrets without their key and rotate the symmetric
keys. This can be done with
just sops::re-encrypt. - Re-deploy the components to which the user's key had access with
just deploy <component-name>.
Important
Always ensure there are at least 2 people in the secret recipients to avoid losing access to it.
By default VMs are running a firewall with only specific ports opened
declaratively. By default, those ports are 22 (SSH) and 51820 (Wireguard).
If you need additional ports opened on a specific VM, you may request it (via message or issue), or - even better - directly open a pull request to update the firewall configuration.
- One Wireguard key per user.
- Better for audit.
- No private key needed in repo.
- But more maintenance efforts (change keys in multiple places on on/off-boarding).
- One SSH key per user.
- Same as Wireguard.
- Bastion host for Wireguard.
- Minimize redeploy effort when updating Wireguard keys.
- Better for security: single minimal machine as public facing.
- But no network segmentation (all machines in a shared network).