Author: ori
Description:
(For context, see the thread '[Ops] Shared ssh key' from October.)
Here's what we need next to transition scap to a securely-shared deployment key model:
* Create a private / public key pair for MediaWiki deployments. The private key should have a passphrase.
* Put the public key in operations/puppet:modules/mediawiki/files/authorized_keys.mwdeploy (currently just a placeholder).
* Put the private key in the private Puppet repository as files/ssh/tin/mwdeploy_rsa.
* Provision the private key on tin by merging <https://gerrit.wikimedia.org/r/172919>.
* Disseminate the private key's passphrase to roots, either by adding it to the private Puppet repository, or via some other secure mean. (Chris Steipp's preference is to not have the passphrase in the private Puppet repository.)