12:32 p.m.
Hi Maciej,
thanks for your reply and your explanation. I look more clearly now.
Am 24.11.2017 um 00:18 schrieb Maciej Delmanowski:
On Nov 23, Jan Kowalsky wrote:
> Hi all,
> How is it possible to initialize a completely new certificate auhtority
> while there are already hosts in the same ansible domain?
The 'debops.pki' role depends on few things like presence of the generated
private keys and certificates to no overwrite the certs over and over. If you
want to reset it, removing the 'secret/pki/' directory (entire) on the Ansible
Controller, as well as the '/etc/pki/realms/' directories on the remote hosts
should be sufficient to create a new set of CA and certificates.
ok, I understand - there is no standalone initialization prozess - it's
initilized on configuration of first host.
> And still there is the problem that encfs on debian stretch
isn't
> working (but this is another story).
yes, I know.
I chose it as the DebOps encryption method because it didn't
require root
access to lock/unlock the encrypted directories, and was portable enough that
the encrypted data could be kept in the git repository, the same as the rest
the idea ist fine - but at the moment with debian stretch it doesn't
work at all - (this is already here
https://github.com/debops/debops-tools/issues/184)
or a separate. If you plan to use it, I would suggest to use an
encrypted
filesystem underneath as well, for example LUKS, to ensure better security.
Of course EncFS is completely optional and could be replaced by something
else.
I took now the solution to mount small luks-containers together with a
small script to mount/unmount them with pgp-keys. They are small enough
to reside in git - but with the drawback that there is no tracking of
individual files inside.
On this point I wondering if it's easy to substitute the debops-padlock
command with any other script. As I understood debops takes care itself
on mounting unmounting the secret. Could this achieved also with custom
mounting scripts?
Kind Regards
Jan