Skynet/wiki
7
1
Fork 7
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions
wiki/src/procedures/skynet/admin_modify.md

78 lines
3.4 KiB
Markdown
Raw Blame History

# Change Admins
A Skynet Admin is a user with teh highest level of access to the cluster, having been trained up over a year.
This guide will cover adding and removing an Admin.
The normal Committee Member process applies to them as well, so check [here](./committee_modify.md#adding) for teh specific details.
A user cannot add or remove themselves from being an admin, an existing admin must do so (one who will still be admin after the procedure).
## Add
Steps to add a new Admin
### NixOS
There are several steps related to the NixOS repo on Forgejo.
#### Username Added
Like a normal committee member the users username must be added to the [``config/users.nix``][users.nix], specifically the admin section.
This gives teh user teh correct Skynet roles on our services.
This also enables them to use their personal account to login to all the servers.
#### SSH Key
##### Root Account
There is a ``root`` account that admins can use.
To be able to login as root you have to add you key to the keys for ``root``
You can add it in the [``machines/_base.nix``][base.nix].
##### Secrets Management
We store our secrets encrypted in the repo using a tool called ``agenix``, a nix implementation of [age][age].
In order to create/edit any secret your key has to be added to [``secrets/secrets.nix``][secrets.nix].
Add the key mimicking the format for the other admins.
Then add it to the users list/array.
Finally re-key the secrets
###### Re-key Secrets
In order to re-key the secrets your key must have been previously added (this just not work if you have just added your key, an existing admin must do this).
```shell
# enter the devshell
nix develop
# Move into teh secrets folder
cd secrets
# Re-key the secrets
agenix -R
```
Then commit the changes.
### VPN
The VPN is what allows admins to get access to the internal parts of teh cluster when not on campus.
It is provided by ITD.
1. Add an entry to the bottom of [``ITD/VPN_Admins.csv``][VPN_Admins.csv]
2. Add an entry to [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv] with ``Pending`` for teh Action.
3. Open up a TopDesk request with ITD to add the new Admin (TODO: TopDesk procedure)
4. Add the ticket reference to [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv]
5. When complete mark the entry ``Added`` on [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv].
## Remove
For teh most part the removal/retirement of an admin is just the opposite of the adding.
The main difference is contacting ITD to remove them from the VPN.
### VPN
1. Open up a TopDesk request with ITD to remove the old Admin.
2. Add the ticket reference to [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv]
3. When complete mark the entry ``Removed`` on [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv].
[users.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/config/users.nix#L76
[base.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/machines/_base.nix#L75
[secrets.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/secrets/secrets.nix#L3-L18
[VPN_Admins.csv]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/ITD/VPN_Admins.csv
[VPN_Admins_changes.csv]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/ITD/VPN_Admins_changes.csv
[age]: https://github.com/FiloSottile/age
Reference in a new issue View git blame Copy permalink