You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
so theres probably a few fancier ways we can do this, but this honestly seems the simplest....
We setup the ansible password and the way to access it via environment variables:
I think for this task we'll also want to add a "security/threat model" for LME, so its clear what sort of attacks we care about for this.
From what I'm thinking, the master password shouldn't be able to be accessed if any LME service is compromised. To mitigate this, I think we should store the master password in a seperate user space from the lme services.
Therefore, if we have lme.service run as a different user (i.e. lme), we can have lme.service be a quadlet under the regular user, that spawns all the other quadlets as the lme user...
Here we need to ensure passwords are encrypted at rest
for this we'll be using a combination of ansible-vault and podman-secrets
utilizing an shell driver for the podman secret: https://docs.podman.io/en/latest/markdown/podman-secret-create.1.html
The text was updated successfully, but these errors were encountered: