|
|
|
|
|
|
by rhaps0dy
811 days ago
|
|
|
Thank you for sending this, Talos looks cool! I would not recommend actually running it in production though -- it does not seem possible to set up in a secure way. (unless you have an out-of-band VPN to the machine?) See this: https://www.talos.dev/v1.6/introduction/getting-started/#mod... The first time you send the machine config, you have to use the --insecure flag to avoid verifying its TLS cert. More concerning, there seems to be no way for you to authenticate yourself to the new machine. Anyone (most likely an automated scanner) could come in and make it theirs at this point. Is there a solution for that? |
|
|
You can also generate a custom installation medium or cloud image that pulls config from your trusted machines if you cannot use out-of-band provisioning.
You can also securely use the insecure maintenance mode when there is a firewall in front of the machine, which prevents access by non-administrator clients to the API ports on IP level.
I'm not a fan of Talos booting into insecure maintenance mode without config w/o prompting for at least a PIN displayed on-screen, but the problem you're describing in no way prevents production use.
[1] https://www.talos.dev/v1.6/talos-guides/install/