How do you guys quickly sync your settings (especially bash aliases and ssh keys) across your machines?

Ideally i want a simple script to run on every new server I work with. Any suggestions?

  • restlessyet@discuss.tchncs.de
    link
    fedilink
    arrow-up
    17
    ·
    1 year ago

    I'm surprised no one mentioned ansible yet. It's meant for this (and more).

    By ssh keys I assume you're talking about authorized_keys, not private keys. I agree with other posters that private keys should not be synced, just generate new ones and add them to the relevant servers authorized_keys with ansible.

    • Toribor@corndog.social
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I use Ansible for this as well. It's great. I encrypt secrets with Ansible vault and then use it to set keys, permissions, config files, etc. across my various workstations. Makes setup and troubleshooting a breeze.

    • dinosaurdynasty@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      If the keys are password protected… eh why not sync them.

      Also ssh certificates are a thing, they make doing that kind of stuff way easier instead of updating known hosts and authorized keys all the time

      • ouch@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Passwords will be brute forced if it can be done offline.

        Private SSH keys should never leave a machine. If a key gets compromised without you knowing, in worst case you will revoke the access it has once the machine's lifespan is over. If you copy around one key, it may get compromised on any of the systems, and you will never revoke the access it has.

        And you may not want to give all systems the same access everywhere. With one key per machine, you can have more granularity for access.

        • dinosaurdynasty@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Passwords will be brute forced if it can be done offline.

          Set a good high entropy password, you can even tie it to your login password with ssh-agent usually

          Private SSH keys should never leave a machine.

          If this actually matters, put your SSH key on a yubikey or something

          If a key gets compromised without you knowing, in worst case you will revoke the access it has once the machine’s lifespan is over.

          People generally don't sit on keys, this is worthless. Also knowing people I've worked with… no, they won't think to revoke it unless forced to

          and you will never revoke the access it has.

          Just replace the key in authorized_keys and resync

          And you may not want to give all systems the same access everywhere

          One of the few reasons to do this, though this tends to not match "one key per machine" and more like "one key per process that needs it"

          Like yeah, it's decent standard advice… for corporate environments with many users. For a handful of single-user systems, it essentially doesn't matter (do you have a different boot and login key for each computer lol, the SSH keys are not the weak point)