Skip to content

Fixup mr !188

aguestuser requested to merge fixup-mr-188 into master

Context

!188 (merged)

Changes

preload backup host's ssh key fingerprints on prod aguestuser authored 54 minutes ago

  • if we don't have the keys, we get prompted the first time, which we can't automate
  • previously, we worked around this by passing StrictHostKeyChecking=no to ssh, but this leaves us open to the (small) possibility of a MIM attack on the server's SSH key
  • instead, pin the backup server's pub key on prod by loading the results of calling ssh-keyscan -H <backup host ip> into /root/.ssh/known_hosts on prod (via provision.yml)
  • and then remove the call to StrictHostKeyChecking in bin/backup

encrypt backups to deploy key

fix permissions on root ssh files loaded in provision.yml

Merge request reports

Loading