From 87f85dd314ca1dbe95f8db7e346cad600e5bb1fb Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sat, 11 Jan 2025 01:54:20 +0000 Subject: [PATCH] doc: added page on how to add/remove admins --- src/procedures/skynet/admin_add.md | 0 src/procedures/skynet/admin_modify.md | 78 +++++++++++++++++++++++ src/procedures/skynet/admin_remove.md | 0 src/procedures/skynet/committee_modify.md | 4 +- 4 files changed, 80 insertions(+), 2 deletions(-) delete mode 100644 src/procedures/skynet/admin_add.md create mode 100644 src/procedures/skynet/admin_modify.md delete mode 100644 src/procedures/skynet/admin_remove.md diff --git a/src/procedures/skynet/admin_add.md b/src/procedures/skynet/admin_add.md deleted file mode 100644 index e69de29..0000000 diff --git a/src/procedures/skynet/admin_modify.md b/src/procedures/skynet/admin_modify.md new file mode 100644 index 0000000..f7927b5 --- /dev/null +++ b/src/procedures/skynet/admin_modify.md @@ -0,0 +1,78 @@ +# Change Admins +A Skynet Admin is a user with teh highest level of access to the cluster, having been trained up over a year. +This guide will cover adding and removing an Admin. + +The normal Committee Member process applies to them as well, so check [here](./committee_modify.md#adding) for teh specific details. + +A user cannot add or remove themselves from being an admin, an existing admin must do so (one who will still be admin after the procedure). + +## Add +Steps to add a new Admin + +### NixOS +There are several steps related to the NixOS repo on Forgejo. + +#### Username Added +Like a normal committee member the users username must be added to the [``config/users.nix``][users.nix], specifically the admin section. +This gives teh user teh correct Skynet roles on our services. +This also enables them to use their personal account to login to all the servers. + +#### SSH Key +##### Root Account +There is a ``root`` account that admins can use. +To be able to login as root you have to add you key to the keys for ``root`` + +You can add it in the [``machines/_base.nix``][base.nix]. + +##### Secrets Management +We store our secrets encrypted in the repo using a tool called ``agenix``, a nix implementation of [age][age]. +In order to create/edit any secret your key has to be added to [``secrets/secrets.nix``][secrets.nix]. + +Add the key mimicking the format for the other admins. +Then add it to the users list/array. +Finally re-key the secrets + + +###### Re-key Secrets +In order to re-key the secrets your key must have been previously added (this just not work if you have just added your key, an existing admin must do this). + + +```shell +# enter the devshell +nix develop + +# Move into teh secrets folder +cd secrets + +# Re-key the secrets +agenix -R +``` + +Then commit the changes. + +### VPN +The VPN is what allows admins to get access to the internal parts of teh cluster when not on campus. +It is provided by ITD. + +1. Add an entry to the bottom of [``ITD/VPN_Admins.csv``][VPN_Admins.csv] +2. Add an entry to [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv] with ``Pending`` for teh Action. +3. Open up a TopDesk request with ITD to add the new Admin (TODO: TopDesk procedure) +4. Add the ticket reference to [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv] +5. When complete mark the entry ``Added`` on [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv]. + +## Remove +For teh most part the removal/retirement of an admin is just the opposite of the adding. +The main difference is contacting ITD to remove them from the VPN. + +### VPN +1. Open up a TopDesk request with ITD to remove the old Admin. +2. Add the ticket reference to [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv] +3. When complete mark the entry ``Removed`` on [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv]. + + +[users.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/config/users.nix#L76 +[base.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/machines/_base.nix#L75 +[secrets.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/secrets/secrets.nix#L3-L18 +[VPN_Admins.csv]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/ITD/VPN_Admins.csv +[VPN_Admins_changes.csv]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/ITD/VPN_Admins_changes.csv +[age]: https://github.com/FiloSottile/age diff --git a/src/procedures/skynet/admin_remove.md b/src/procedures/skynet/admin_remove.md deleted file mode 100644 index e69de29..0000000 diff --git a/src/procedures/skynet/committee_modify.md b/src/procedures/skynet/committee_modify.md index 8983cac..a903127 100644 --- a/src/procedures/skynet/committee_modify.md +++ b/src/procedures/skynet/committee_modify.md @@ -6,7 +6,7 @@ Before starting the committee member in question *must* have a Skynet Account. This is because we have several services that require authentication to access. Details on how to create one can be found [here][skynet_account_creation]. -Once they have an account add their username to [``users.nix``][users.nix]. +Once they have an account add their username to [``config/users.nix``][users.nix]. Then commit and push. Once everything is deployed they should have access to all resources within 15 min. @@ -17,7 +17,7 @@ Next checkout the page on [VaultWarden](./vaultwarden.md) to add the user to the ## Removing Removing is essentially the same as adding. -Remove their username to [``users.nix``][users.nix]. +Remove their username to [``config/users.nix``][users.nix]. Then commit and push. ## Force Update