atrakic

I'm learning about SOPS and setting it up as my preferred mechanism for storing secrets. Here are my notes.

PGP

It’s security mechanism is that we (i.e. client) use a PUBLIC key from the receiver (i.e. server) and encode it with a random key (I’m saying nonce but it could be reused)

This varies from RSA and SSH because the server uses a PUBLIC key to identify the client.

Web of trust

Web of trust operates by still using PGP (i.e. encoding with recipient’s public key) but additionally, we can encrypt/sign the data as our own by signing it with the client’s private key.

This means the recipient will initially decrypt via our (i.e. client’s) public key (verifying the source) and then decrypting via their (i.e. server’s) private key to get the data.

Code is clean if it can be understood easily – by everyone on the team. Clean code can be read and enhanced by a developer other than its original author. With understandability comes readability, changeability, extensibility and maintainability.

General rules

Follow standard conventions.
Keep it simple stupid. Simpler is always better. Reduce complexity as much as possible.
Boy scout rule. Leave the campground cleaner than you found it.
Always find root cause. Always look for the root cause of a problem.

Design rules

Better SSH Authorized Keys Management

A seemingly common problem that people encounter is how to handle all of your users authorized_keys file.

People struggle over management, ensuring that users only have specific keys in the authorized_keys file or even a method for expiring keys. A centralized key management system could help provide all of this functionality with a little scripting.

One piece of functionality overlooked in OpenSSH is the AuthorizedKeysCommand configuration keyword. This configuration allows you to specify a command that will run during login to retrieve a users public key file from a remote source and perform validation just as if the authorized_keys file was local.

Here is an example directory structure for a set of users with SSH public keys that can be shared out via a web server:

	#!/usr/bin/env -S bash -c "docker run -p 8080:8080 -it --rm \$(docker build --progress plain -f \$0 . 2>&1 \| tee /dev/stderr \| grep -oP 'sha256:[0-9a-f]*')"

	# syntax = docker/dockerfile:1.4.0

	FROM node:20

	WORKDIR /root

	RUN npm install sqlite3

	#!/bin/bash

	target_branch="production"
	working_tree="PATH_TO_DEPLOY"

	while read oldrev newrev refname
	do
	branch=$(git rev-parse --symbolic --abbrev-ref $refname)
	if [ -n "$branch" ] && [ "$target_branch" == "$branch" ]; then

	#!/bin/bash
	if [ "$#" -ne 1 ]; then
	echo "Usage: $0 123.123.123.123 password"
	echo "Specify your host's LAN IP and the desired Pihole password"
	exit 1
	fi

	IP=$1
	PASSWORD=$2

	#!/bin/bash
	if [ "$#" -ne 1 ]; then
	echo "Usage: $0 123.123.123.123 password"
	echo "Specify your host's LAN IP and the desired Pihole password"
	exit 1
	fi

	IP=$1
	PASSWORD=$2

	deploy-kube:
	stage: deploy
	environment: test
	image: dtzar/helm-kubectl:2.12.3
	script:
	- kubectl config set-cluster sophia-cluster --server=${KUBE_URL} --certificate-authority="${KUBE_CA_PEM_FILE}"
	- kubectl config set-credentials sophia-admin --token=${KUBE_TOKEN}
	- kubectl config set-context sophia-context --cluster=sophia-cluster --user=sophia-admin --namespace ${KUBE_NAMESPACE}
	- kubectl config use-context sophia-context
	- helm upgrade --reuse-values --set image.tag=$CI_BUILD_REF sophia k8s-chart

	#!/usr/bin/python

	import urllib
	import sys

	text = sys.argv[1]
	encoded = urllib.quote_plus(text)
	print encoded

	#!/bin/bash
	#set -x
	#set -e
	k3d delete --name='rio'
	k3d create -n rio --image rancher/k3s:v0.8.1 --publish 80:80 --publish 443:443 --publish 9443:9443 --publish 9080:9080 &&
	declare -i i; i=0
	until k3d get-kubeconfig --name='rio'
	do
	if (( i > 20 )); then
	break