On Thu, Oct 5, 2023 at 9:00 AM Diego Zuccato <diego.zucc...@unibo.it> wrote: > > My current idea is to use Salt to orchestrate the install, but maybe > it's better left to FAI? How can I "pass around" minion key so I don't > have to manually re-approve the new key every time?
This is how we manage it. FAI knows what our "base server" should look like in terms of, how we partition disks, and what network interfaces get used for what. The only package beyond the base OS that it installs is salt-minion, and it puts in place our /etc/salt/minion.d/* files. On first boot, the minion tries to join the master, and we approve the new key there manually. The first highstate takes care of adding our site standard base packages, configuration, etc. In our case manually approving the minion key on the master is a small extra step, but I can see how if you're doing dozens of servers a day, or if you have a strong motive for completely unattended reinstalls (fire and forget) that having to approve the minion's key would be a problem. Someone has suggested something like this up-thread, but I think the only way you're going to eliminate that step is if you push a keypair to the minion from FAI, and then have FAI share the public key with the master. You're probably not going to be able to get the minion to start up and do its thing properly until the system boots, and by that time I think you've lost any opportunity to transfer its public key securely without a manual approval step. You could store the public keys that FAI generates in a repository on the FAI server, and have it trigger a Salt webhook to tell the master when it needs to retrieve and install new ones.
