doc: added page on how to add/remove admins
This commit is contained in:
parent
424a7b0c2f
commit
87f85dd314
GPG key ID:
36F93D61BAD3FD7D
4 changed files with 80 additions and 2 deletions
78
src/procedures/skynet/admin_modify.md
Normal file
78
src/procedures/skynet/admin_modify.md
Normal file
|
|
@ -0,0 +1,78 @@
|
|||
# Change Admins
|
||||
A Skynet Admin is a user with teh highest level of access to the cluster, having been trained up over a year.
|
||||
This guide will cover adding and removing an Admin.
|
||||
|
||||
The normal Committee Member process applies to them as well, so check [here](./committee_modify.md#adding) for teh specific details.
|
||||
|
||||
A user cannot add or remove themselves from being an admin, an existing admin must do so (one who will still be admin after the procedure).
|
||||
|
||||
## Add
|
||||
Steps to add a new Admin
|
||||
|
||||
### NixOS
|
||||
There are several steps related to the NixOS repo on Forgejo.
|
||||
|
||||
#### Username Added
|
||||
Like a normal committee member the users username must be added to the [``config/users.nix``][users.nix], specifically the admin section.
|
||||
This gives teh user teh correct Skynet roles on our services.
|
||||
This also enables them to use their personal account to login to all the servers.
|
||||
|
||||
#### SSH Key
|
||||
##### Root Account
|
||||
There is a ``root`` account that admins can use.
|
||||
To be able to login as root you have to add you key to the keys for ``root``
|
||||
|
||||
You can add it in the [``machines/_base.nix``][base.nix].
|
||||
|
||||
##### Secrets Management
|
||||
We store our secrets encrypted in the repo using a tool called ``agenix``, a nix implementation of [age][age].
|
||||
In order to create/edit any secret your key has to be added to [``secrets/secrets.nix``][secrets.nix].
|
||||
|
||||
Add the key mimicking the format for the other admins.
|
||||
Then add it to the users list/array.
|
||||
Finally re-key the secrets
|
||||
|
||||
|
||||
###### Re-key Secrets
|
||||
In order to re-key the secrets your key must have been previously added (this just not work if you have just added your key, an existing admin must do this).
|
||||
|
||||
|
||||
```shell
|
||||
# enter the devshell
|
||||
nix develop
|
||||
|
||||
# Move into teh secrets folder
|
||||
cd secrets
|
||||
|
||||
# Re-key the secrets
|
||||
agenix -R
|
||||
```
|
||||
|
||||
Then commit the changes.
|
||||
|
||||
### VPN
|
||||
The VPN is what allows admins to get access to the internal parts of teh cluster when not on campus.
|
||||
It is provided by ITD.
|
||||
|
||||
1. Add an entry to the bottom of [``ITD/VPN_Admins.csv``][VPN_Admins.csv]
|
||||
2. Add an entry to [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv] with ``Pending`` for teh Action.
|
||||
3. Open up a TopDesk request with ITD to add the new Admin (TODO: TopDesk procedure)
|
||||
4. Add the ticket reference to [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv]
|
||||
5. When complete mark the entry ``Added`` on [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv].
|
||||
|
||||
## Remove
|
||||
For teh most part the removal/retirement of an admin is just the opposite of the adding.
|
||||
The main difference is contacting ITD to remove them from the VPN.
|
||||
|
||||
### VPN
|
||||
1. Open up a TopDesk request with ITD to remove the old Admin.
|
||||
2. Add the ticket reference to [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv]
|
||||
3. When complete mark the entry ``Removed`` on [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv].
|
||||
|
||||
|
||||
[users.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/config/users.nix#L76
|
||||
[base.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/machines/_base.nix#L75
|
||||
[secrets.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/secrets/secrets.nix#L3-L18
|
||||
[VPN_Admins.csv]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/ITD/VPN_Admins.csv
|
||||
[VPN_Admins_changes.csv]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/ITD/VPN_Admins_changes.csv
|
||||
[age]: https://github.com/FiloSottile/age
|
||||
|
|
@ -6,7 +6,7 @@ Before starting the committee member in question *must* have a Skynet Account.
|
|||
This is because we have several services that require authentication to access.
|
||||
Details on how to create one can be found [here][skynet_account_creation].
|
||||
|
||||
Once they have an account add their username to [``users.nix``][users.nix].
|
||||
Once they have an account add their username to [``config/users.nix``][users.nix].
|
||||
Then commit and push.
|
||||
|
||||
Once everything is deployed they should have access to all resources within 15 min.
|
||||
|
|
@ -17,7 +17,7 @@ Next checkout the page on [VaultWarden](./vaultwarden.md) to add the user to the
|
|||
## Removing
|
||||
Removing is essentially the same as adding.
|
||||
|
||||
Remove their username to [``users.nix``][users.nix].
|
||||
Remove their username to [``config/users.nix``][users.nix].
|
||||
Then commit and push.
|
||||
|
||||
## Force Update
|
||||
|
|
|
|||
Loading…
Reference in a new issue