aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2022-12-25 22:31:18 +0100
committerAlex Auvolat <alex@adnab.me>2022-12-25 22:31:18 +0100
commit87bb031ed00b7993a29d74aee2e89875c5444caf (patch)
tree80ebbf8c3870b3dfa756905fa55af938b503e283
parent6d6e48c8fa7f4f38a5b812389d269c025a977790 (diff)
downloadnixcfg-87bb031ed00b7993a29d74aee2e89875c5444caf.tar.gz
nixcfg-87bb031ed00b7993a29d74aee2e89875c5444caf.zip
Migrate prod cluster secrets to new format
Diffstat
-rw-r--r--cluster/prod/app/backup/secrets.toml90
-rw-r--r--cluster/prod/app/backup/secrets/backup/consul/backup_aws_access_key_id1
-rw-r--r--cluster/prod/app/backup/secrets/backup/consul/backup_aws_secret_access_key1
-rw-r--r--cluster/prod/app/backup/secrets/backup/consul/backup_restic_password1
-rw-r--r--cluster/prod/app/backup/secrets/backup/consul/backup_restic_repository1
-rw-r--r--cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_access_key_id1
-rw-r--r--cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_secret_access_key1
-rw-r--r--cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_password1
-rw-r--r--cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_repository1
-rw-r--r--cluster/prod/app/backup/secrets/backup/id_ed255191
-rw-r--r--cluster/prod/app/backup/secrets/backup/id_ed25519.pub1
-rw-r--r--cluster/prod/app/backup/secrets/backup/psql/aws_access_key_id1
-rw-r--r--cluster/prod/app/backup/secrets/backup/psql/aws_secret_access_key1
-rw-r--r--cluster/prod/app/backup/secrets/backup/psql/crypt_private_key1
-rw-r--r--cluster/prod/app/backup/secrets/backup/psql/crypt_public_key1
-rw-r--r--cluster/prod/app/backup/secrets/backup/target_ssh_dir1
-rw-r--r--cluster/prod/app/backup/secrets/backup/target_ssh_fingerprint1
-rw-r--r--cluster/prod/app/backup/secrets/backup/target_ssh_host1
-rw-r--r--cluster/prod/app/backup/secrets/backup/target_ssh_port1
-rw-r--r--cluster/prod/app/backup/secrets/backup/target_ssh_user1
-rw-r--r--cluster/prod/app/core/secrets.toml5
-rw-r--r--cluster/prod/app/core/secrets/directory/ldap_base_dn1
-rw-r--r--cluster/prod/app/drone-ci/secrets.toml47
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/cookie_secret1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/db_enc_secret1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_id1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_secret1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/rpc_secret1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/s3_ak1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/s3_db_bucket1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/s3_sk1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/s3_storage_bucket1
-rw-r--r--cluster/prod/app/email/secrets.toml58
-rw-r--r--cluster/prod/app/email/secrets/email/dkim/smtp.private1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/backup_restic_password1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/dovecot.crt1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/dovecot.key1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/ldap_binddn1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd1
-rw-r--r--cluster/prod/app/email/secrets/email/postfix/postfix.crt1
-rw-r--r--cluster/prod/app/email/secrets/email/postfix/postfix.key1
-rw-r--r--cluster/prod/app/email/secrets/email/sogo/ldap_binddn1
-rw-r--r--cluster/prod/app/email/secrets/email/sogo/ldap_bindpw1
-rw-r--r--cluster/prod/app/email/secrets/email/sogo/postgre_auth1
-rw-r--r--cluster/prod/app/garage/secrets.toml14
-rw-r--r--cluster/prod/app/garage/secrets/garage/admin_token1
-rw-r--r--cluster/prod/app/garage/secrets/garage/metrics_token1
-rw-r--r--cluster/prod/app/garage/secrets/garage/rpc_secret1
-rw-r--r--cluster/prod/app/guichet/secrets.toml51
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/mail_domain1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/mail_from1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/s3_access_key1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/s3_bucket1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/s3_endpoint1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/s3_region1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/s3_secret_key1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/smtp_pass1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/smtp_server1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/smtp_user1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/web_hostname1
-rw-r--r--cluster/prod/app/jitsi/secrets.toml36
-rw-r--r--cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.crt1
-rw-r--r--cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.key1
-rw-r--r--cluster/prod/app/jitsi/secrets/jitsi/jicofo_pass1
-rw-r--r--cluster/prod/app/jitsi/secrets/jitsi/jitsi.crt1
-rw-r--r--cluster/prod/app/jitsi/secrets/jitsi/jitsi.key1
-rw-r--r--cluster/prod/app/jitsi/secrets/jitsi/jvb_pass1
-rw-r--r--cluster/prod/app/matrix/secrets.toml92
-rw-r--r--cluster/prod/app/matrix/secrets/chat/coturn/static-auth1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/coturn/static_auth_secret_zinzdev1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/easybridge/as_token1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/easybridge/db_pass1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/easybridge/db_user1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/easybridge/hs_token1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/easybridge/web_session_key2
-rw-r--r--cluster/prod/app/matrix/secrets/chat/fb2mx/as_token1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/fb2mx/db_url1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/fb2mx/hs_token1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/homeserver.signing.key1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.crt1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.dh1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.key1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/ldap_binddn1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/ldap_bindpw1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/postgres_db1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/postgres_pwd1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/postgres_user1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/registration_shared_secret1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/s3_access_key1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/s3_secret_key1
-rw-r--r--cluster/prod/app/plume/secrets.toml29
-rw-r--r--cluster/prod/app/plume/secrets/plume/backup_aws_access_key_id1
-rw-r--r--cluster/prod/app/plume/secrets/plume/backup_aws_secret_access_key1
-rw-r--r--cluster/prod/app/plume/secrets/plume/backup_restic_password1
-rw-r--r--cluster/prod/app/plume/secrets/plume/backup_restic_repository1
-rw-r--r--cluster/prod/app/plume/secrets/plume/pgsql_pw1
-rw-r--r--cluster/prod/app/plume/secrets/plume/secret_key1
-rw-r--r--cluster/prod/app/postgres/secrets.toml10
-rw-r--r--cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_pwd1
-rw-r--r--cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_username1
-rw-r--r--cluster/prod/app/postgres/secrets/postgres/keeper/pg_su_pwd1
l---------cluster/prod/app/secretmgr1
-rw-r--r--cluster/prod/app/telemetry/secrets.toml16
-rw-r--r--cluster/prod/app/telemetry/secrets/telemetry/grafana/admin_password1
-rw-r--r--cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_access_key1
-rw-r--r--cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_secret_key1
-rw-r--r--cluster/prod/secretmgr.toml9
110 files changed, 457 insertions, 99 deletions
diff --git a/cluster/prod/app/backup/secrets.toml b/cluster/prod/app/backup/secrets.toml
new file mode 100644
index 0000000..5d2b851
--- /dev/null
+++ b/cluster/prod/app/backup/secrets.toml
@@ -0,0 +1,90 @@
+# Cryptpad backup
+
+[secrets."backup/cryptpad/backup_restic_password"]
+type = 'user'
+description = 'Restic password to encrypt backups'
+
+[secrets."backup/cryptpad/backup_aws_secret_access_key"]
+type = 'user'
+description = 'Backup AWS secret access key'
+
+[secrets."backup/cryptpad/backup_restic_repository"]
+type = 'user'
+description = 'Restic repository'
+example = 's3:https://s3.garage.tld'
+
+[secrets."backup/cryptpad/backup_aws_access_key_id"]
+type = 'user'
+description = 'Backup AWS access key ID'
+
+
+# Consul backup
+
+[secrets."backup/consul/backup_restic_password"]
+type = 'user'
+description = 'Restic password to encrypt backups'
+
+[secrets."backup/consul/backup_aws_secret_access_key"]
+type = 'user'
+description = 'Backup AWS secret access key'
+
+[secrets."backup/consul/backup_restic_repository"]
+type = 'user'
+description = 'Restic repository'
+example = 's3:https://s3.garage.tld'
+
+[secrets."backup/consul/backup_aws_access_key_id"]
+type = 'user'
+description = 'Backup AWS access key ID'
+
+
+# Postgresql backup
+
+[secrets."backup/psql/aws_secret_access_key"]
+type = 'user'
+description = 'Minio secret key'
+
+[secrets."backup/psql/aws_access_key_id"]
+type = 'user'
+description = 'Minio access key'
+
+[secrets."backup/psql/crypt_public_key"]
+type = 'user'
+description = 'A public key to encypt backups with age'
+
+[secrets."backup/psql/crypt_private_key"]
+type = 'user'
+description = 'a private key to decript backups from age'
+
+
+# SSH target config (do we still use this?)
+
+[secrets."backup/target_ssh_host"]
+type = 'user'
+description = 'Hostname of the backup target host'
+
+[secrets."backup/target_ssh_port"]
+type = 'user'
+description = 'SSH port number to connect to the target host'
+
+[secrets."backup/target_ssh_dir"]
+type = 'user'
+description = 'Directory where to store backups on target host'
+
+[secrets."backup/target_ssh_user"]
+type = 'user'
+description = 'SSH username to log in as on the target host'
+
+[secrets."backup/target_ssh_fingerprint"]
+type = 'user'
+description = 'SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)'
+
+[secrets."backup/id_ed25519"]
+type = 'user'
+multiline = true
+description = 'Private ed25519 key of the container doing the backup'
+
+[secrets."backup/id_ed25519.pub"]
+type = 'user'
+description = 'Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)'
+
diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_access_key_id b/cluster/prod/app/backup/secrets/backup/consul/backup_aws_access_key_id
deleted file mode 100644
index 9235e53..0000000
--- a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_access_key_id
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS access key ID
diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_secret_access_key b/cluster/prod/app/backup/secrets/backup/consul/backup_aws_secret_access_key
deleted file mode 100644
index f34677e..0000000
--- a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_secret_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS secret access key
diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_password b/cluster/prod/app/backup/secrets/backup/consul/backup_restic_password
deleted file mode 100644
index fbaa5fa..0000000
--- a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_password
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic password to encrypt backups
diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_repository b/cluster/prod/app/backup/secrets/backup/consul/backup_restic_repository
deleted file mode 100644
index 3f6cb93..0000000
--- a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_repository
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic repository, eg. s3:https://s3.garage.tld
diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_access_key_id b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_access_key_id
deleted file mode 100644
index 9235e53..0000000
--- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_access_key_id
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS access key ID
diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_secret_access_key b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_secret_access_key
deleted file mode 100644
index f34677e..0000000
--- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_secret_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS secret access key
diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_password b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_password
deleted file mode 100644
index fbaa5fa..0000000
--- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_password
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic password to encrypt backups
diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_repository b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_repository
deleted file mode 100644
index 3f6cb93..0000000
--- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_repository
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic repository, eg. s3:https://s3.garage.tld
diff --git a/cluster/prod/app/backup/secrets/backup/id_ed25519 b/cluster/prod/app/backup/secrets/backup/id_ed25519
deleted file mode 100644
index 9d7fd46..0000000
--- a/cluster/prod/app/backup/secrets/backup/id_ed25519
+++ /dev/null
@@ -1 +0,0 @@
-USER_LONG Private ed25519 key of the container doing the backup
diff --git a/cluster/prod/app/backup/secrets/backup/id_ed25519.pub b/cluster/prod/app/backup/secrets/backup/id_ed25519.pub
deleted file mode 100644
index 0a2ab35..0000000
--- a/cluster/prod/app/backup/secrets/backup/id_ed25519.pub
+++ /dev/null
@@ -1 +0,0 @@
-USER Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)
diff --git a/cluster/prod/app/backup/secrets/backup/psql/aws_access_key_id b/cluster/prod/app/backup/secrets/backup/psql/aws_access_key_id
deleted file mode 100644
index 82375d7..0000000
--- a/cluster/prod/app/backup/secrets/backup/psql/aws_access_key_id
+++ /dev/null
@@ -1 +0,0 @@
-USER Minio access key
diff --git a/cluster/prod/app/backup/secrets/backup/psql/aws_secret_access_key b/cluster/prod/app/backup/secrets/backup/psql/aws_secret_access_key
deleted file mode 100644
index de5090c..0000000
--- a/cluster/prod/app/backup/secrets/backup/psql/aws_secret_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Minio secret key
diff --git a/cluster/prod/app/backup/secrets/backup/psql/crypt_private_key b/cluster/prod/app/backup/secrets/backup/psql/crypt_private_key
deleted file mode 100644
index 4abece9..0000000
--- a/cluster/prod/app/backup/secrets/backup/psql/crypt_private_key
+++ /dev/null
@@ -1 +0,0 @@
-USER a private key to decript backups from age
diff --git a/cluster/prod/app/backup/secrets/backup/psql/crypt_public_key b/cluster/prod/app/backup/secrets/backup/psql/crypt_public_key
deleted file mode 100644
index 156ad47..0000000
--- a/cluster/prod/app/backup/secrets/backup/psql/crypt_public_key
+++ /dev/null
@@ -1 +0,0 @@
-USER A public key to encypt backups with age
diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_dir b/cluster/prod/app/backup/secrets/backup/target_ssh_dir
deleted file mode 100644
index 3b2a4da..0000000
--- a/cluster/prod/app/backup/secrets/backup/target_ssh_dir
+++ /dev/null
@@ -1 +0,0 @@
-USER Directory where to store backups on target host
diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_fingerprint b/cluster/prod/app/backup/secrets/backup/target_ssh_fingerprint
deleted file mode 100644
index 608f3ec..0000000
--- a/cluster/prod/app/backup/secrets/backup/target_ssh_fingerprint
+++ /dev/null
@@ -1 +0,0 @@
-USER SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)
diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_host b/cluster/prod/app/backup/secrets/backup/target_ssh_host
deleted file mode 100644
index 6268f87..0000000
--- a/cluster/prod/app/backup/secrets/backup/target_ssh_host
+++ /dev/null
@@ -1 +0,0 @@
-USER Hostname of the backup target host
diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_port b/cluster/prod/app/backup/secrets/backup/target_ssh_port
deleted file mode 100644
index 309dd38..0000000
--- a/cluster/prod/app/backup/secrets/backup/target_ssh_port
+++ /dev/null
@@ -1 +0,0 @@
-USER SSH port number to connect to the target host
diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_user b/cluster/prod/app/backup/secrets/backup/target_ssh_user
deleted file mode 100644
index 98b3046..0000000
--- a/cluster/prod/app/backup/secrets/backup/target_ssh_user
+++ /dev/null
@@ -1 +0,0 @@
-USER SSH username to log in as on the target host
diff --git a/cluster/prod/app/core/secrets.toml b/cluster/prod/app/core/secrets.toml
new file mode 100644
index 0000000..736c9dd
--- /dev/null
+++ b/cluster/prod/app/core/secrets.toml
@@ -0,0 +1,5 @@
+[secrets."directory/ldap_base_dn"]
+type = 'user'
+description = 'LDAP base DN for everything'
+example = 'dc=example,dc=com'
+
diff --git a/cluster/prod/app/core/secrets/directory/ldap_base_dn b/cluster/prod/app/core/secrets/directory/ldap_base_dn
deleted file mode 100644
index ea5c7ae..0000000
--- a/cluster/prod/app/core/secrets/directory/ldap_base_dn
+++ /dev/null
@@ -1 +0,0 @@
-USER LDAP base DN for everything (e.g. dc=example,dc=com)
diff --git a/cluster/prod/app/drone-ci/secrets.toml b/cluster/prod/app/drone-ci/secrets.toml
new file mode 100644
index 0000000..5bd98d0
--- /dev/null
+++ b/cluster/prod/app/drone-ci/secrets.toml
@@ -0,0 +1,47 @@
+# Drone's secrets
+
+[secrets."drone-ci/rpc_secret"]
+type = 'command'
+rotate = true
+command = 'openssl rand -hex 16'
+
+[secrets."drone-ci/cookie_secret"]
+type = 'command'
+rotate = true
+command = 'openssl rand -hex 16'
+
+[secrets."drone-ci/db_enc_secret"]
+type = 'command'
+command = 'openssl rand -hex 16'
+
+
+# Oauth config for gitea
+
+[secrets."drone-ci/oauth_client_secret"]
+type = 'user'
+description = 'OAuth client secret (for gitea)'
+
+[secrets."drone-ci/oauth_client_id"]
+type = 'user'
+description = 'OAuth client ID (on Gitea)'
+
+
+# S3 config for Git LFS storage
+
+[secrets."drone-ci/s3_db_bucket"]
+type = 'constant'
+value = 'drone-db'
+
+[secrets."drone-ci/s3_sk"]
+type = 'user'
+description = 'S3 (garage) secret key for Drone'
+
+[secrets."drone-ci/s3_ak"]
+type = 'user'
+description = 'S3 (garage) access key for Drone'
+
+[secrets."drone-ci/s3_storage_bucket"]
+type = 'constant'
+value = 'drone-storage'
+
+
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/cookie_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/cookie_secret
deleted file mode 100644
index 04c819e..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/cookie_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 16
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/db_enc_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/db_enc_secret
deleted file mode 100644
index 3f9e696..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/db_enc_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD_ONCE openssl rand -hex 16
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_id b/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_id
deleted file mode 100644
index c801b28..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_id
+++ /dev/null
@@ -1 +0,0 @@
-USER OAuth client ID (on Gitea)
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_secret
deleted file mode 100644
index b79b688..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_secret
+++ /dev/null
@@ -1 +0,0 @@
-USER OAuth client secret (for gitea)
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/rpc_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/rpc_secret
deleted file mode 100644
index 04c819e..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/rpc_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 16
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_ak b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_ak
deleted file mode 100644
index 3a8e4a2..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_ak
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 (garage) access key for Drone
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_db_bucket b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_db_bucket
deleted file mode 100644
index c36f17d..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_db_bucket
+++ /dev/null
@@ -1 +0,0 @@
-CONST drone-db
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_sk b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_sk
deleted file mode 100644
index 46fd9fa..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_sk
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 (garage) secret key for Drone
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_storage_bucket b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_storage_bucket
deleted file mode 100644
index ca2702c..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_storage_bucket
+++ /dev/null
@@ -1 +0,0 @@
-CONST drone-storage
diff --git a/cluster/prod/app/email/secrets.toml b/cluster/prod/app/email/secrets.toml
new file mode 100644
index 0000000..4efee49
--- /dev/null
+++ b/cluster/prod/app/email/secrets.toml
@@ -0,0 +1,58 @@
+# ---- POSTFIX ----
+
+[secrets."email/postfix/postfix.key"]
+type = 'SSL_KEY'
+name = 'postfix'
+
+[secrets."email/postfix/postfix.crt"]
+type = 'SSL_CERT'
+name = 'postfix'
+cert_domains = "['deuxfleurs.fr']"
+
+[secrets."email/dkim/smtp.private"]
+type = 'RSA_PRIVATE_KEY'
+name = 'dkim'
+
+# ---- DOVECOT ----
+
+[service_users."dovecot"]
+dn_secret = "email/dovecot/ldap_binddn"
+password_secret = "email/dovecot/ldap_bindpwd"
+
+
+[secrets."email/dovecot/dovecot.key"]
+type = 'SSL_KEY'
+name = 'dovecot'
+
+[secrets."email/dovecot/dovecot.crt"]
+type = 'SSL_CERT'
+name = 'dovecot'
+cert_domains = "['deuxfleurs.fr']"
+
+
+[secrets."email/dovecot/backup_restic_password"]
+type = 'user'
+description = 'Restic backup password to encrypt data'
+
+[secrets."email/dovecot/backup_aws_secret_access_key"]
+type = 'user'
+description = 'AWS Secret Access key'
+
+[secrets."email/dovecot/backup_restic_repository"]
+type = 'user'
+description = 'Restic Repository URL, check op_guide/backup-minio to see the format'
+
+[secrets."email/dovecot/backup_aws_access_key_id"]
+type = 'user'
+description = 'AWS Acces Key ID'
+
+# ---- SOGO ----
+
+[service_users."sogo"]
+dn_secret = "email/sogo/ldap_binddn"
+password_secret = "email/sogo/ldap_bindpw"
+
+[secrets."email/sogo/postgre_auth"]
+type = 'user'
+description = 'SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)'
+
diff --git a/cluster/prod/app/email/secrets/email/dkim/smtp.private b/cluster/prod/app/email/secrets/email/dkim/smtp.private
deleted file mode 100644
index 3aa3621..0000000
--- a/cluster/prod/app/email/secrets/email/dkim/smtp.private
+++ /dev/null
@@ -1 +0,0 @@
-RSA_PRIVATE_KEY dkim
diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id b/cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id
deleted file mode 100644
index 9ae6adf..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id
+++ /dev/null
@@ -1 +0,0 @@
-USER AWS Acces Key ID
diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key b/cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key
deleted file mode 100644
index ac95906..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER AWS Secret Access key
diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_password b/cluster/prod/app/email/secrets/email/dovecot/backup_restic_password
deleted file mode 100644
index c19a4a3..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_password
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic backup password to encrypt data
diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository b/cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository
deleted file mode 100644
index 0434a15..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic Repository URL, check op_guide/backup-minio to see the format
diff --git a/cluster/prod/app/email/secrets/email/dovecot/dovecot.crt b/cluster/prod/app/email/secrets/email/dovecot/dovecot.crt
deleted file mode 100644
index 7229cfc..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/dovecot.crt
+++ /dev/null
@@ -1 +0,0 @@
-SSL_CERT dovecot deuxfleurs.fr
diff --git a/cluster/prod/app/email/secrets/email/dovecot/dovecot.key b/cluster/prod/app/email/secrets/email/dovecot/dovecot.key
deleted file mode 100644
index 0d42c79..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/dovecot.key
+++ /dev/null
@@ -1 +0,0 @@
-SSL_KEY dovecot
diff --git a/cluster/prod/app/email/secrets/email/dovecot/ldap_binddn b/cluster/prod/app/email/secrets/email/dovecot/ldap_binddn
deleted file mode 100644
index da380f2..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/ldap_binddn
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_DN dovecot Dovecot IMAP server
diff --git a/cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd b/cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd
deleted file mode 100644
index 068f663..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_PASSWORD dovecot
diff --git a/cluster/prod/app/email/secrets/email/postfix/postfix.crt b/cluster/prod/app/email/secrets/email/postfix/postfix.crt
deleted file mode 100644
index f004d67..0000000
--- a/cluster/prod/app/email/secrets/email/postfix/postfix.crt
+++ /dev/null
@@ -1 +0,0 @@
-SSL_CERT postfix deuxfleurs.fr
diff --git a/cluster/prod/app/email/secrets/email/postfix/postfix.key b/cluster/prod/app/email/secrets/email/postfix/postfix.key
deleted file mode 100644
index 2cf1706..0000000
--- a/cluster/prod/app/email/secrets/email/postfix/postfix.key
+++ /dev/null
@@ -1 +0,0 @@
-SSL_KEY postfix
diff --git a/cluster/prod/app/email/secrets/email/sogo/ldap_binddn b/cluster/prod/app/email/secrets/email/sogo/ldap_binddn
deleted file mode 100644
index df627d3..0000000
--- a/cluster/prod/app/email/secrets/email/sogo/ldap_binddn
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_DN sogo SoGo email frontend
diff --git a/cluster/prod/app/email/secrets/email/sogo/ldap_bindpw b/cluster/prod/app/email/secrets/email/sogo/ldap_bindpw
deleted file mode 100644
index 8d2f35b..0000000
--- a/cluster/prod/app/email/secrets/email/sogo/ldap_bindpw
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_PASSWORD sogo
diff --git a/cluster/prod/app/email/secrets/email/sogo/postgre_auth b/cluster/prod/app/email/secrets/email/sogo/postgre_auth
deleted file mode 100644
index 4f66253..0000000
--- a/cluster/prod/app/email/secrets/email/sogo/postgre_auth
+++ /dev/null
@@ -1 +0,0 @@
-USER SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)
diff --git a/cluster/prod/app/garage/secrets.toml b/cluster/prod/app/garage/secrets.toml
new file mode 100644
index 0000000..e616091
--- /dev/null
+++ b/cluster/prod/app/garage/secrets.toml
@@ -0,0 +1,14 @@
+[secrets."garage/rpc_secret"]
+type = 'command'
+command = 'openssl rand -hex 32'
+# can't auto-rotate, because we still have some nodes outside of Nomad
+
+[secrets."garage/admin_token"]
+type = 'command'
+command = 'openssl rand -hex 32'
+rotate = true
+
+[secrets."garage/metrics_token"]
+type = 'command'
+command = 'openssl rand -hex 32'
+rotate = true
diff --git a/cluster/prod/app/garage/secrets/garage/admin_token b/cluster/prod/app/garage/secrets/garage/admin_token
deleted file mode 100644
index d831d53..0000000
--- a/cluster/prod/app/garage/secrets/garage/admin_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD_ONCE openssl rand -hex 32
diff --git a/cluster/prod/app/garage/secrets/garage/metrics_token b/cluster/prod/app/garage/secrets/garage/metrics_token
deleted file mode 100644
index d831d53..0000000
--- a/cluster/prod/app/garage/secrets/garage/metrics_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD_ONCE openssl rand -hex 32
diff --git a/cluster/prod/app/garage/secrets/garage/rpc_secret b/cluster/prod/app/garage/secrets/garage/rpc_secret
deleted file mode 100644
index d831d53..0000000
--- a/cluster/prod/app/garage/secrets/garage/rpc_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD_ONCE openssl rand -hex 32
diff --git a/cluster/prod/app/guichet/secrets.toml b/cluster/prod/app/guichet/secrets.toml
new file mode 100644
index 0000000..d614b27
--- /dev/null
+++ b/cluster/prod/app/guichet/secrets.toml
@@ -0,0 +1,51 @@
+# General configuration
+
+[secrets."directory/guichet/web_hostname"]
+type = 'user'
+description = 'Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)'
+
+
+# Mailing configuration
+
+[secrets."directory/guichet/smtp_user"]
+type = 'user'
+description = 'SMTP username'
+
+[secrets."directory/guichet/smtp_pass"]
+type = 'user'
+description = 'SMTP password'
+
+[secrets."directory/guichet/smtp_server"]
+type = 'user'
+description = 'SMTP server address (hostname:port)'
+
+[secrets."directory/guichet/mail_from"]
+type = 'user'
+description = 'E-mail address from which to send welcome emails to new users'
+
+[secrets."directory/guichet/mail_domain"]
+type = 'user'
+description = 'E-mail domain for new users (e.g. example.com)'
+
+
+# S3 configuration
+
+[secrets."directory/guichet/s3_endpoint"]
+type = 'user'
+description = 'S3 endpoint URL'
+
+[secrets."directory/guichet/s3_bucket"]
+type = 'user'
+description = 'S3 bucket in which to store data files (such as profile pictures)'
+
+[secrets."directory/guichet/s3_region"]
+type = 'user'
+description = 'S3 region'
+
+[secrets."directory/guichet/s3_access_key"]
+type = 'user'
+description = 'Garage access key for Guichet profile pictures'
+
+[secrets."directory/guichet/s3_secret_key"]
+type = 'user'
+description = 'Garage secret key for Guichet profile pictures'
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/mail_domain b/cluster/prod/app/guichet/secrets/directory/guichet/mail_domain
deleted file mode 100644
index 5db1ba3..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/mail_domain
+++ /dev/null
@@ -1 +0,0 @@
-USER E-mail domain for new users (e.g. example.com)
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/mail_from b/cluster/prod/app/guichet/secrets/directory/guichet/mail_from
deleted file mode 100644
index 9075cbf..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/mail_from
+++ /dev/null
@@ -1 +0,0 @@
-USER E-mail address from which to send welcome emails to new users
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/s3_access_key b/cluster/prod/app/guichet/secrets/directory/guichet/s3_access_key
deleted file mode 100644
index e5b37ff..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/s3_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Garage access key for Guichet profile pictures
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/s3_bucket b/cluster/prod/app/guichet/secrets/directory/guichet/s3_bucket
deleted file mode 100644
index cb059cf..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/s3_bucket
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 bucket in which to store data files (such as profile pictures)
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/s3_endpoint b/cluster/prod/app/guichet/secrets/directory/guichet/s3_endpoint
deleted file mode 100644
index b414269..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/s3_endpoint
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 endpoint URL
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/s3_region b/cluster/prod/app/guichet/secrets/directory/guichet/s3_region
deleted file mode 100644
index ef16924..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/s3_region
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 region
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/s3_secret_key b/cluster/prod/app/guichet/secrets/directory/guichet/s3_secret_key
deleted file mode 100644
index f3e7f0f..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/s3_secret_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Garage secret key for Guichet profile pictures
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_pass b/cluster/prod/app/guichet/secrets/directory/guichet/smtp_pass
deleted file mode 100644
index fc9d1e3..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_pass
+++ /dev/null
@@ -1 +0,0 @@
-USER SMTP password
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_server b/cluster/prod/app/guichet/secrets/directory/guichet/smtp_server
deleted file mode 100644
index c453935..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_server
+++ /dev/null
@@ -1 +0,0 @@
-USER SMTP server address (hostname:port)
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_user b/cluster/prod/app/guichet/secrets/directory/guichet/smtp_user
deleted file mode 100644
index c9c8bd0..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_user
+++ /dev/null
@@ -1 +0,0 @@
-USER SMTP username
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/web_hostname b/cluster/prod/app/guichet/secrets/directory/guichet/web_hostname
deleted file mode 100644
index afe2512..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/web_hostname
+++ /dev/null
@@ -1 +0,0 @@
-USER Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)
diff --git a/cluster/prod/app/jitsi/secrets.toml b/cluster/prod/app/jitsi/secrets.toml
new file mode 100644
index 0000000..cb6126f
--- /dev/null
+++ b/cluster/prod/app/jitsi/secrets.toml
@@ -0,0 +1,36 @@
+# Jitsi secrets
+
+[secrets."jitsi/jvb_pass"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 24'
+
+[secrets."jitsi/jicofo_pass"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 24'
+
+
+# SSL: Jitsi
+
+[secrets."jitsi/jitsi.crt"]
+type = 'SSL_CERT'
+name = 'jitsi'
+cert_domains = "['jitsi']"
+
+[secrets."jitsi/jitsi.key"]
+type = 'SSL_KEY'
+name = 'jitsi'
+
+
+# SSL: Jitsi auth
+
+[secrets."jitsi/auth.jitsi.crt"]
+type = 'SSL_CERT'
+name = 'jitsi_auth'
+cert_domains = "['auth.jitsi']"
+
+[secrets."jitsi/auth.jitsi.key"]
+type = 'SSL_KEY'
+name = 'jitsi_auth'
+
diff --git a/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.crt b/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.crt
deleted file mode 100644
index f4ab925..0000000
--- a/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.crt
+++ /dev/null
@@ -1 +0,0 @@
-SSL_CERT jitsi_auth auth.jitsi
diff --git a/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.key b/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.key
deleted file mode 100644
index 82e7b6b..0000000
--- a/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.key
+++ /dev/null
@@ -1 +0,0 @@
-SSL_KEY jitsi_auth auth.jitsi
diff --git a/cluster/prod/app/jitsi/secrets/jitsi/jicofo_pass b/cluster/prod/app/jitsi/secrets/jitsi/jicofo_pass
deleted file mode 100644
index 6a0f5fc..0000000
--- a/cluster/prod/app/jitsi/secrets/jitsi/jicofo_pass
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 24
diff --git a/cluster/prod/app/jitsi/secrets/jitsi/jitsi.crt b/cluster/prod/app/jitsi/secrets/jitsi/jitsi.crt
deleted file mode 100644
index 2eed97c..0000000
--- a/cluster/prod/app/jitsi/secrets/jitsi/jitsi.crt
+++ /dev/null
@@ -1 +0,0 @@
-SSL_CERT jitsi jitsi
diff --git a/cluster/prod/app/jitsi/secrets/jitsi/jitsi.key b/cluster/prod/app/jitsi/secrets/jitsi/jitsi.key
deleted file mode 100644
index af53ca0..0000000
--- a/cluster/prod/app/jitsi/secrets/jitsi/jitsi.key
+++ /dev/null
@@ -1 +0,0 @@
-SSL_KEY jitsi jitsi
diff --git a/cluster/prod/app/jitsi/secrets/jitsi/jvb_pass b/cluster/prod/app/jitsi/secrets/jitsi/jvb_pass
deleted file mode 100644
index 6a0f5fc..0000000
--- a/cluster/prod/app/jitsi/secrets/jitsi/jvb_pass
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 24
diff --git a/cluster/prod/app/matrix/secrets.toml b/cluster/prod/app/matrix/secrets.toml
new file mode 100644
index 0000000..6e4f027
--- /dev/null
+++ b/cluster/prod/app/matrix/secrets.toml
@@ -0,0 +1,92 @@
+[service_users."matrix"]
+description = 'Matrix service user'
+dn_secret = 'chat/synapse/ldap_binddn'
+password_secret = 'chat/synapse/ldap_bindpw'
+
+
+# Postgresql DB
+
+[secrets."chat/synapse/postgres_db"]
+type = 'constant'
+value = 'synapse'
+
+[secrets."chat/synapse/postgres_user"]
+type = 'service_username'
+service = 'matrix'
+
+[secrets."chat/synapse/postgres_pwd"]
+type = 'service_password'
+service = 'matrix'
+
+
+# S3 access
+
+[secrets."chat/synapse/s3_access_key"]
+type = 'user'
+description = 'S3 access key ID for Matrix bucket'
+
+[secrets."chat/synapse/s3_secret_key"]
+type = 'user'
+description = 'S3 secret access key for Matrix bucket'
+
+
+# Keys & stuff
+
+[secrets."chat/synapse/homeserver.tls.dh"]
+type = 'user'
+multiline = true
+description = 'DH parameters for matrix ssl key? how does this work?'
+
+[secrets."chat/synapse/homeserver.tls.crt"]
+type = 'SSL_CERT'
+name = 'synapse'
+cert_domains = "['im.deuxfleurs.fr']"
+
+[secrets."chat/synapse/homeserver.tls.key"]
+type = 'SSL_KEY'
+name = 'synapse'
+
+[secrets."chat/synapse/homeserver.signing.key"]
+type = 'user'
+description = 'Synapse homeserver ed25519 signing key'
+
+[secrets."chat/synapse/registration_shared_secret"]
+type = 'command'
+rotate = true
+command = 'head -c 32 /dev/urandom | base64'
+
+
+# ----------- COTURN -----------
+
+[secrets."chat/coturn/static-auth"]
+type = 'user'
+description = 'coturn static-auth (what is this?)'
+
+[secrets."chat/coturn/static_auth_secret_zinzdev"]
+type = 'user'
+description = "Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification."
+
+
+# ----------- EASYBRIDGE (we will remove this one day) -----------
+
+[service_users."easybridge"]
+description = 'Easybridge service user'
+password_secret = 'chat/easybridge/db_pass'
+username_secret = 'chat/easybridge/db_user'
+
+
+[secrets."chat/easybridge/as_token"]
+type = 'command'
+rotate = true
+command = 'openssl rand -hex 32'
+
+[secrets."chat/easybridge/web_session_key"]
+type = 'command'
+rotate = true
+command = 'openssl rand -hex 32'
+
+[secrets."chat/easybridge/hs_token"]
+type = 'command'
+rotate = true
+command = 'openssl rand -hex 32'
+
diff --git a/cluster/prod/app/matrix/secrets/chat/coturn/static-auth b/cluster/prod/app/matrix/secrets/chat/coturn/static-auth
deleted file mode 100644
index 43628ef..0000000
--- a/cluster/prod/app/matrix/secrets/chat/coturn/static-auth
+++ /dev/null
@@ -1 +0,0 @@
-USER coturn static-auth (what is this?)
diff --git a/cluster/prod/app/matrix/secrets/chat/coturn/static_auth_secret_zinzdev b/cluster/prod/app/matrix/secrets/chat/coturn/static_auth_secret_zinzdev
deleted file mode 100644
index c61486d..0000000
--- a/cluster/prod/app/matrix/secrets/chat/coturn/static_auth_secret_zinzdev
+++ /dev/null
@@ -1 +0,0 @@
-USER Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification. \ No newline at end of file
diff --git a/cluster/prod/app/matrix/secrets/chat/easybridge/as_token b/cluster/prod/app/matrix/secrets/chat/easybridge/as_token
deleted file mode 100644
index 5fa4e3c..0000000
--- a/cluster/prod/app/matrix/secrets/chat/easybridge/as_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 32
diff --git a/cluster/prod/app/matrix/secrets/chat/easybridge/db_pass b/cluster/prod/app/matrix/secrets/chat/easybridge/db_pass
deleted file mode 100644
index 7e1f94b..0000000
--- a/cluster/prod/app/matrix/secrets/chat/easybridge/db_pass
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_PASSWORD easybridge
diff --git a/cluster/prod/app/matrix/secrets/chat/easybridge/db_user b/cluster/prod/app/matrix/secrets/chat/easybridge/db_user
deleted file mode 100644
index 436267c..0000000
--- a/cluster/prod/app/matrix/secrets/chat/easybridge/db_user
+++ /dev/null
@@ -1 +0,0 @@
-CONST easybridge
diff --git a/cluster/prod/app/matrix/secrets/chat/easybridge/hs_token b/cluster/prod/app/matrix/secrets/chat/easybridge/hs_token
deleted file mode 100644
index 5fa4e3c..0000000
--- a/cluster/prod/app/matrix/secrets/chat/easybridge/hs_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 32
diff --git a/cluster/prod/app/matrix/secrets/chat/easybridge/web_session_key b/cluster/prod/app/matrix/secrets/chat/easybridge/web_session_key
deleted file mode 100644
index 614bed7..0000000
--- a/cluster/prod/app/matrix/secrets/chat/easybridge/web_session_key
+++ /dev/null
@@ -1,2 +0,0 @@
-CMD openssl rand -hex 32
-
diff --git a/cluster/prod/app/matrix/secrets/chat/fb2mx/as_token b/cluster/prod/app/matrix/secrets/chat/fb2mx/as_token
deleted file mode 100644
index 5fa4e3c..0000000
--- a/cluster/prod/app/matrix/secrets/chat/fb2mx/as_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 32
diff --git a/cluster/prod/app/matrix/secrets/chat/fb2mx/db_url b/cluster/prod/app/matrix/secrets/chat/fb2mx/db_url
deleted file mode 100644
index f06e265..0000000
--- a/cluster/prod/app/matrix/secrets/chat/fb2mx/db_url
+++ /dev/null
@@ -1 +0,0 @@
-USER fb2mx database URL, format: postgres://username:password@hostname/dbname
diff --git a/cluster/prod/app/matrix/secrets/chat/fb2mx/hs_token b/cluster/prod/app/matrix/secrets/chat/fb2mx/hs_token
deleted file mode 100644
index 5fa4e3c..0000000
--- a/cluster/prod/app/matrix/secrets/chat/fb2mx/hs_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 32
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.signing.key b/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.signing.key
deleted file mode 100644
index 099bd18..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.signing.key
+++ /dev/null
@@ -1 +0,0 @@
-USER Synapse homeserver ed25519 signing key
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.crt b/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.crt
deleted file mode 100644
index b696093..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.crt
+++ /dev/null
@@ -1 +0,0 @@
-SSL_CERT synapse im.deuxfleurs.fr
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.dh b/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.dh
deleted file mode 100644
index 0231fed..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.dh
+++ /dev/null
@@ -1 +0,0 @@
-USER_LONG DH parameters for matrix ssl key? how does this work?
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.key b/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.key
deleted file mode 100644
index feee544..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.key
+++ /dev/null
@@ -1 +0,0 @@
-SSL_KEY synapse im.deuxfleurs.fr
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/ldap_binddn b/cluster/prod/app/matrix/secrets/chat/synapse/ldap_binddn
deleted file mode 100644
index 2631bef..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/ldap_binddn
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_DN matrix Matrix chat server
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/ldap_bindpw b/cluster/prod/app/matrix/secrets/chat/synapse/ldap_bindpw
deleted file mode 100644
index ba07446..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/ldap_bindpw
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_PASSWORD matrix
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_db b/cluster/prod/app/matrix/secrets/chat/synapse/postgres_db
deleted file mode 100644
index 74eefa7..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_db
+++ /dev/null
@@ -1 +0,0 @@
-CONST synapse
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_pwd b/cluster/prod/app/matrix/secrets/chat/synapse/postgres_pwd
deleted file mode 100644
index ba07446..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_pwd
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_PASSWORD matrix
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_user b/cluster/prod/app/matrix/secrets/chat/synapse/postgres_user
deleted file mode 100644
index b08e86a..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_user
+++ /dev/null
@@ -1 +0,0 @@
-CONST matrix
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/registration_shared_secret b/cluster/prod/app/matrix/secrets/chat/synapse/registration_shared_secret
deleted file mode 100644
index b82f191..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/registration_shared_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD head -c 32 /dev/urandom | base64
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/s3_access_key b/cluster/prod/app/matrix/secrets/chat/synapse/s3_access_key
deleted file mode 100644
index ab09a8e..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/s3_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER matrix
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/s3_secret_key b/cluster/prod/app/matrix/secrets/chat/synapse/s3_secret_key
deleted file mode 100644
index ab09a8e..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/s3_secret_key
+++ /dev/null
@@ -1 +0,0 @@
-USER matrix
diff --git a/cluster/prod/app/plume/secrets.toml b/cluster/prod/app/plume/secrets.toml
new file mode 100644
index 0000000..a445979
--- /dev/null
+++ b/cluster/prod/app/plume/secrets.toml
@@ -0,0 +1,29 @@
+[service_user."plume"]
+password_secret = "plume/pgsql_pw"
+
+
+[secrets."plume/secret_key"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 32'
+
+
+# Plume backup
+
+[secrets."plume/backup_restic_repository"]
+type = 'user'
+description = 'Restic repository'
+example = 's3:https://s3.garage.tld'
+
+[secrets."plume/backup_restic_password"]
+type = 'user'
+description = 'Restic password to encrypt backups'
+
+[secrets."plume/backup_aws_secret_access_key"]
+type = 'user'
+description = 'Backup AWS secret access key'
+
+[secrets."plume/backup_aws_access_key_id"]
+type = 'user'
+description = 'Backup AWS access key ID'
+
diff --git a/cluster/prod/app/plume/secrets/plume/backup_aws_access_key_id b/cluster/prod/app/plume/secrets/plume/backup_aws_access_key_id
deleted file mode 100644
index 9235e53..0000000
--- a/cluster/prod/app/plume/secrets/plume/backup_aws_access_key_id
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS access key ID
diff --git a/cluster/prod/app/plume/secrets/plume/backup_aws_secret_access_key b/cluster/prod/app/plume/secrets/plume/backup_aws_secret_access_key
deleted file mode 100644
index f34677e..0000000
--- a/cluster/prod/app/plume/secrets/plume/backup_aws_secret_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS secret access key
diff --git a/cluster/prod/app/plume/secrets/plume/backup_restic_password b/cluster/prod/app/plume/secrets/plume/backup_restic_password
deleted file mode 100644
index fbaa5fa..0000000
--- a/cluster/prod/app/plume/secrets/plume/backup_restic_password
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic password to encrypt backups
diff --git a/cluster/prod/app/plume/secrets/plume/backup_restic_repository b/cluster/prod/app/plume/secrets/plume/backup_restic_repository
deleted file mode 100644
index 3f6cb93..0000000
--- a/cluster/prod/app/plume/secrets/plume/backup_restic_repository
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic repository, eg. s3:https://s3.garage.tld
diff --git a/cluster/prod/app/plume/secrets/plume/pgsql_pw b/cluster/prod/app/plume/secrets/plume/pgsql_pw
deleted file mode 100644
index 0f831bb..0000000
--- a/cluster/prod/app/plume/secrets/plume/pgsql_pw
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_PASSWORD plume
diff --git a/cluster/prod/app/plume/secrets/plume/secret_key b/cluster/prod/app/plume/secrets/plume/secret_key
deleted file mode 100644
index 978be54..0000000
--- a/cluster/prod/app/plume/secrets/plume/secret_key
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 32
diff --git a/cluster/prod/app/postgres/secrets.toml b/cluster/prod/app/postgres/secrets.toml
new file mode 100644
index 0000000..537a72d
--- /dev/null
+++ b/cluster/prod/app/postgres/secrets.toml
@@ -0,0 +1,10 @@
+[service_users."replicator"]
+password_secret = "postgres/keeper/pg_repl_pwd"
+username_secret = "postgres/keeper/pg_repl_username"
+
+
+[secrets."postgres/keeper/pg_su_pwd"]
+type = 'command'
+command = 'openssl rand -base64 15'
+description = 'postgres superuser password'
+
diff --git a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_pwd b/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_pwd
deleted file mode 100644
index ae0c229..0000000
--- a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_pwd
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_PASSWORD replicator
diff --git a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_username b/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_username
deleted file mode 100644
index 58e6e46..0000000
--- a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_username
+++ /dev/null
@@ -1 +0,0 @@
-CONST replicator
diff --git a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_su_pwd b/cluster/prod/app/postgres/secrets/postgres/keeper/pg_su_pwd
deleted file mode 100644
index 907e2b8..0000000
--- a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_su_pwd
+++ /dev/null
@@ -1 +0,0 @@
-USER postgres superuser password
diff --git a/cluster/prod/app/secretmgr b/cluster/prod/app/secretmgr
deleted file mode 120000
index 6aff4ad..0000000
--- a/cluster/prod/app/secretmgr
+++ /dev/null
@@ -1 +0,0 @@
-../../../secretmgr/secretmgr \ No newline at end of file
diff --git a/cluster/prod/app/telemetry/secrets.toml b/cluster/prod/app/telemetry/secrets.toml
new file mode 100644
index 0000000..763a14c
--- /dev/null
+++ b/cluster/prod/app/telemetry/secrets.toml
@@ -0,0 +1,16 @@
+[secrets."telemetry/grafana/admin_password"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 12'
+
+
+# S3 database storage access
+
+[secrets."telemetry/grafana/s3_access_key"]
+type = 'user'
+description = 'S3 access key for grafana db'
+
+[secrets."telemetry/grafana/s3_secret_key"]
+type = 'user'
+description = 'S3 secret key for grafana db'
+
diff --git a/cluster/prod/app/telemetry/secrets/telemetry/grafana/admin_password b/cluster/prod/app/telemetry/secrets/telemetry/grafana/admin_password
deleted file mode 100644
index 2f36e97..0000000
--- a/cluster/prod/app/telemetry/secrets/telemetry/grafana/admin_password
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 12
diff --git a/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_access_key b/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_access_key
deleted file mode 100644
index c7e41a4..0000000
--- a/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 access key for grafana db
diff --git a/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_secret_key b/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_secret_key
deleted file mode 100644
index 051f41a..0000000
--- a/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_secret_key
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 secret key for grafana db
diff --git a/cluster/prod/secretmgr.toml b/cluster/prod/secretmgr.toml
new file mode 100644
index 0000000..88058e5
--- /dev/null
+++ b/cluster/prod/secretmgr.toml
@@ -0,0 +1,9 @@
+[ldap]
+server = "ldap://localhost:1389"
+service_dn_suffix = "ou=services,ou=users,dc=deuxfleurs,dc=fr"
+admin_dn = "cn=admin,dc=deuxfleurs,dc=org"
+
+
+[user_values]
+"directory/ldap_base_dn" = "dc=deuxfleurs,dc=fr"
+"directory/guichet/web_hostname" = "guichet.deuxfleurs.fr"
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-19 01:26:13 +0000