On Sun, Feb 7, 2021 at 8:54 PM Daniel Wilkins <tekk@linuxmail.org> wrote:
>
> Chris Waldon wrote:
> > I just took a look through it, and I think it's looking great! I have
> > two requests in the short term:
> >
> > - Can we put a list of URLs to scrape for ssh keys into the config?
> > Then we could just grab and apply those keys to authorized keys on
> > deploy.
> Do we want to do this? My recollection was that we planned on just using
> our DO keys anyway. If not I can absolutely add a config file for it.
Our testing indicates that DO doesn't have sufficiently flexible or
dynamic SSH key provisioning, so I do think we need to take over this
ourselves. Or, at least, that's my recollection. Please correct me if
I'm making this up. I think DO only let us provision keys at instance
startup, and I'm not even sure if we could provision more than one
key.
> > - Can we go ahead an allow inbound TCP traffic on ports 7117 and 7777?
> > I'd also like to enable the relays to talk to one another (via
> > sprout), but I'm not exactly sure what that firewall rule looks like.
> > Something like `ufw allow out 7117`?
> Will be done.
+1
> > Anyway, this is great progress! Do you already have instances to test
> > against? I assume that you must, given that you were complaining about
> > DO the other day. You can definitely create a test instance in our
> > arbor DO team to test this out with.
> For testing I created a base Ubuntu 20.04 VM via virt-manager after
> verifying the SSH key behaviour on a DO droplet that lived for a couple
> minutes.
> That seems to be the easiest and fastest turnaround time (clone base,
> launch, run scripts.)
Indeed, this seems pretty smart.
> > For everyone else, I should mention this:
> > https://git.sr.ht/~whereswaldon/arbor-infra/tree/main/item/droplet/systemd/arbor-relay.service
> >
> > This is a config repo I created a long ways back to partially manage
> > the config for our current (messy) infra. This repo (and in particular
> > the service file linked) may prove useful.
> Should I look into moving the files/ directory over here? That seems
> like it'd be a sensible place.
Ultimately, we should consolidate everything into one repo. Right now,
that repo can be your new one without all of my old one's baggage. But
we can definitely steal from the old repo if the assets there are of
any use.
Cheers,
Chris
P.S. Danny, you accidentally replied off-list. Remember to Reply-All
to include the mailing list itself in the CC.
On Mon, Feb 08, 2021 at 05:28:58PM -0500, Chris Waldon wrote:
> On Sun, Feb 7, 2021 at 8:54 PM Daniel Wilkins <tekk@linuxmail.org> wrote:
> >
> > Chris Waldon wrote:
> > > I just took a look through it, and I think it's looking great! I have
> > > two requests in the short term:
> > >
> > > - Can we put a list of URLs to scrape for ssh keys into the config?
> > > Then we could just grab and apply those keys to authorized keys on
> > > deploy.
> > Do we want to do this? My recollection was that we planned on just using
> > our DO keys anyway. If not I can absolutely add a config file for it.
>
> Our testing indicates that DO doesn't have sufficiently flexible or
> dynamic SSH key provisioning, so I do think we need to take over this
> ourselves. Or, at least, that's my recollection. Please correct me if
> I'm making this up. I think DO only let us provision keys at instance
> startup, and I'm not even sure if we could provision more than one
> key.
From my experience, DO allows you to to select multiple SSH keys only at
the time of droplet creation. I just checked and the droplet creation
screen lists two SSH keys (mine and Chris'). After this point however,
keys will have to be managed "by hand", or by another solution.
Best,
Thom