Right now, xtask-setup configures the security group it creates to only allow SSH access from EC2 Instance Connect. The service works great on Linux (and allows us to have zero ports exposed to the public internet), but requires an agent that is not available on illumos.
We should consider how to enable SSH keys in xtask-setup for use within illumos:
- Should those be always configured, or should it be an option the user has to choose during setup? I kinda like that right now by default there are zero ports exposed for CI jobs.
- Other than enabling port 22 in the security group, should it configure the SSH key?
- If it configures the SSH key, should it do it through buildomat or through EC2's cloud-init?
- Which SSH key should it pick?
Right now, xtask-setup configures the security group it creates to only allow SSH access from EC2 Instance Connect. The service works great on Linux (and allows us to have zero ports exposed to the public internet), but requires an agent that is not available on illumos.
We should consider how to enable SSH keys in xtask-setup for use within illumos: