Skip to content

Admin - Modify

A Skynet Admin is a user with teh highest level of access to the cluster, having been trained up over a year.
This guide will cover adding and removing an Admin.

The normal Committee Member process applies to them as well, so check here for teh specific details.

A user cannot add or remove themselves from being an admin, an existing admin must do so (one who will still be admin after the procedure).

Add

Steps to add a new Admin

NixOS

There are several steps related to the NixOS repo on Forgejo.

Username Added

Like a normal committee member the users username must be added to the config/users.nix, specifically the admin section.
This gives teh user teh correct Skynet roles on our services.
This also enables them to use their personal account to login to all the servers.

SSH Key

Root Account

There is a root account that admins can use.
To be able to login as root you have to add you key to the keys for root

You can add it in the machines/_base.nix.

Secrets Management

We store our secrets encrypted in the repo using a tool called agenix, a nix implementation of age.
In order to create/edit any secret your key has to be added to secrets/secrets.nix.

Add the key mimicking the format for the other admins.
Then add it to the users list/array.
Finally re-key the secrets

Re-key Secrets

In order to re-key the secrets your key must have been previously added (this just not work if you have just added your key, an existing admin must do this). 

# enter the devshell
nix develop

# Move into teh secrets folder
cd secrets

# Re-key the secrets
agenix -R

Then commit the changes.

VPN

The VPN is what allows admins to get access to the internal parts of teh cluster when not on campus.
It is provided by ITD.

  1. Add an entry to the bottom of ITD/VPN_Admins.csv
  2. Add an entry to ITD/VPN_Admins_changes.csv with Pending for teh Action.
  3. Open up a TopDesk request with ITD to add the new Admin.
  4. Add the ticket reference to ITD/VPN_Admins_changes.csv
  5. When complete mark the entry Added on ITD/VPN_Admins_changes.csv.

Remove

For teh most part the removal/retirement of an admin is just the opposite of the adding.
The main difference is contacting ITD to remove them from the VPN.

VPN

  1. Open up a TopDesk request with ITD to remove the old Admin.
  2. Add the ticket reference to ITD/VPN_Admins_changes.csv
  3. When complete mark the entry Removed on ITD/VPN_Admins_changes.csv.