... | ... | @@ -20,12 +20,17 @@ The back-end will consume tasks from the queue, and run various commands. The in |
|
|
|
|
|
###
|
|
|
|
|
|
## Secrets
|
|
|
|
|
|
## Security model
|
|
|
|
|
|
Broadly speaking, Aegir maps a web GUI to CLI commands. Ansible provides a handy, secure mechanism to allow multiple servers, since it uses SSH to communicate between VMs. We *don't* want to be able to run arbitrary commands on the back-end, since this could easily lead to compromised security. Rather, the Ansible roles will represent a whitelist of commands, and safe variables.
|
|
|
|
|
|
### Secrets
|
|
|
|
|
|
To the extent possible, secrets should neither be entered nor exposed via the UI. Ideally, these would be either generated on the backend or, where needed, deployed by an administrator via SSH.
|
|
|
|
|
|
These should likely mostly be situated on the queue worker, so as to be accessible when needed by `ansible-playbook` or other engines.
|
|
|
|
|
|
|
|
|
## User experience
|
|
|
|
... | ... | |