Add docs that the secret key only needs to be able to sign

[dak.git] / setup / README

diff --git a/setup/README b/setup/README
index f22370255ef820bcde662d6de0ef9cd8ab354f7c..9d5103c19e4ef8e043ef5d7cbb2c676a12cd9911 100644 (file)
--- a/setup/README
+++ b/setup/README
@@ -16,9 +16,8 @@ The following roles are assumed to exist:
 For the purposes of this document, we'll be working in /srv/dak
 
 Set up the dak user on both the system and in postgres:
-# sudo adduser --system dak
-# sudo addgroup ftpmaster
-# sudo addgroup dak ftpmaster
+# sudo addgroup --system ftpmaster
+# sudo adduser --system dak --ingroup ftpmaster --shell /bin/bash
 # sudo -u postgres createuser -s dak
 
 Set up the dak directory:
@@ -68,7 +67,9 @@ WARNING: Please check these templates over and customise as necessary
 # cp templates/* /srv/dak/templates/
 
 Set up a private signing key: don't set a passphrase as dak will not
-pass one through to gpg.  Guard this key carefully
+pass one through to gpg.  Guard this key carefully!
+The key only needs to be able to sign, it doesn't need to be able
+to encrypt.
 # gpg --no-default-keyring --secret-keyring /srv/dak/keyrings/s3kr1t/dot-gnupg/secring.gpg --keyring /srv/dak/keyrings/s3kr1t/dot-gnupg/pubring.gpg --gen-key
 Remember the signing key id for when creating the suite below.
 Here we'll pretend it is DDDDDDDD for convenience