Skynet/wiki
6
0
Fork 5
Code Issues 2 Pull requests 1 Projects Releases Packages Wiki Activity Actions

WIP: Add more documentation/procedures #31

Draft
silver wants to merge 22 commits from fyp_procedures into main
pull from: fyp_procedures
merge into: Skynet:main
Conversation 0 Commits 22 Files changed 23 +80 -2
4 changed files with 80 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 8f84904ba8 - Show all commits

0
src/procedures/skynet/admin_add.md
View file

78
src/procedures/skynet/admin_modify.md Normal file
View file

@ -0,0 +1,78 @@
# Change Admins
A Skynet Admin is a user with teh highest level of access to the cluster, having been trained up over a year.
This guide will cover adding and removing an Admin.
The normal Committee Member process applies to them as well, so check [here](./committee_modify.md#adding) for teh specific details.
A user cannot add or remove themselves from being an admin, an existing admin must do so (one who will still be admin after the procedure).
## Add
Steps to add a new Admin
### NixOS
There are several steps related to the NixOS repo on Forgejo.
#### Username Added
Like a normal committee member the users username must be added to the [``config/users.nix``][users.nix], specifically the admin section.
This gives teh user teh correct Skynet roles on our services.
This also enables them to use their personal account to login to all the servers.
#### SSH Key
##### Root Account
There is a ``root`` account that admins can use.
To be able to login as root you have to add you key to the keys for ``root``
You can add it in the [``machines/_base.nix``][base.nix].
##### Secrets Management
We store our secrets encrypted in the repo using a tool called ``agenix``, a nix implementation of [age][age].
In order to create/edit any secret your key has to be added to [``secrets/secrets.nix``][secrets.nix].
Add the key mimicking the format for the other admins.
Then add it to the users list/array.
Finally re-key the secrets
###### Re-key Secrets
In order to re-key the secrets your key must have been previously added (this just not work if you have just added your key, an existing admin must do this).
```shell
# enter the devshell
nix develop
# Move into teh secrets folder
cd secrets
# Re-key the secrets
agenix -R
```
Then commit the changes.
### VPN
The VPN is what allows admins to get access to the internal parts of teh cluster when not on campus.
It is provided by ITD.
1. Add an entry to the bottom of [``ITD/VPN_Admins.csv``][VPN_Admins.csv]
2. Add an entry to [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv] with ``Pending`` for teh Action.
3. Open up a TopDesk request with ITD to add the new Admin (TODO: TopDesk procedure)
4. Add the ticket reference to [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv]
5. When complete mark the entry ``Added`` on [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv].
## Remove
For teh most part the removal/retirement of an admin is just the opposite of the adding.
The main difference is contacting ITD to remove them from the VPN.
### VPN
1. Open up a TopDesk request with ITD to remove the old Admin.
2. Add the ticket reference to [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv]
3. When complete mark the entry ``Removed`` on [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv].
[users.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/config/users.nix#L76
[base.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/machines/_base.nix#L75
[secrets.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/secrets/secrets.nix#L3-L18
[VPN_Admins.csv]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/ITD/VPN_Admins.csv
[VPN_Admins_changes.csv]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/ITD/VPN_Admins_changes.csv
[age]: https://github.com/FiloSottile/age

0
src/procedures/skynet/admin_remove.md
View file

4
src/procedures/skynet/committee_modify.md
View file

@ -6,7 +6,7 @@ Before starting the committee member in question *must* have a Skynet Account.
This is because we have several services that require authentication to access.
Details on how to create one can be found [here][skynet_account_creation].
Once they have an account add their username to [``users.nix``][users.nix].
Once they have an account add their username to [``config/users.nix``][users.nix].
Then commit and push.
Once everything is deployed they should have access to all resources within 15 min.
@ -17,7 +17,7 @@ Next checkout the page on [VaultWarden](./vaultwarden.md) to add the user to the
## Removing
Removing is essentially the same as adding.
Remove their username to [``users.nix``][users.nix].
Remove their username to [``config/users.nix``][users.nix].
Then commit and push.
## Force Update