aboutsummaryrefslogtreecommitdiff
path: root/cluster/prod/app/backup
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2022-12-25 22:31:18 +0100
committerAlex Auvolat <alex@adnab.me>2022-12-25 22:31:18 +0100
commit87bb031ed00b7993a29d74aee2e89875c5444caf (patch)
tree80ebbf8c3870b3dfa756905fa55af938b503e283 /cluster/prod/app/backup
parent6d6e48c8fa7f4f38a5b812389d269c025a977790 (diff)
downloadnixcfg-87bb031ed00b7993a29d74aee2e89875c5444caf.tar.gz
nixcfg-87bb031ed00b7993a29d74aee2e89875c5444caf.zip
Migrate prod cluster secrets to new format
Diffstat (limited to 'cluster/prod/app/backup')
-rw-r--r--cluster/prod/app/backup/secrets.toml90
-rw-r--r--cluster/prod/app/backup/secrets/backup/consul/backup_aws_access_key_id1
-rw-r--r--cluster/prod/app/backup/secrets/backup/consul/backup_aws_secret_access_key1
-rw-r--r--cluster/prod/app/backup/secrets/backup/consul/backup_restic_password1
-rw-r--r--cluster/prod/app/backup/secrets/backup/consul/backup_restic_repository1
-rw-r--r--cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_access_key_id1
-rw-r--r--cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_secret_access_key1
-rw-r--r--cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_password1
-rw-r--r--cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_repository1
-rw-r--r--cluster/prod/app/backup/secrets/backup/id_ed255191
-rw-r--r--cluster/prod/app/backup/secrets/backup/id_ed25519.pub1
-rw-r--r--cluster/prod/app/backup/secrets/backup/psql/aws_access_key_id1
-rw-r--r--cluster/prod/app/backup/secrets/backup/psql/aws_secret_access_key1
-rw-r--r--cluster/prod/app/backup/secrets/backup/psql/crypt_private_key1
-rw-r--r--cluster/prod/app/backup/secrets/backup/psql/crypt_public_key1
-rw-r--r--cluster/prod/app/backup/secrets/backup/target_ssh_dir1
-rw-r--r--cluster/prod/app/backup/secrets/backup/target_ssh_fingerprint1
-rw-r--r--cluster/prod/app/backup/secrets/backup/target_ssh_host1
-rw-r--r--cluster/prod/app/backup/secrets/backup/target_ssh_port1
-rw-r--r--cluster/prod/app/backup/secrets/backup/target_ssh_user1
20 files changed, 90 insertions, 19 deletions
diff --git a/cluster/prod/app/backup/secrets.toml b/cluster/prod/app/backup/secrets.toml
new file mode 100644
index 0000000..5d2b851
--- /dev/null
+++ b/cluster/prod/app/backup/secrets.toml
@@ -0,0 +1,90 @@
+# Cryptpad backup
+
+[secrets."backup/cryptpad/backup_restic_password"]
+type = 'user'
+description = 'Restic password to encrypt backups'
+
+[secrets."backup/cryptpad/backup_aws_secret_access_key"]
+type = 'user'
+description = 'Backup AWS secret access key'
+
+[secrets."backup/cryptpad/backup_restic_repository"]
+type = 'user'
+description = 'Restic repository'
+example = 's3:https://s3.garage.tld'
+
+[secrets."backup/cryptpad/backup_aws_access_key_id"]
+type = 'user'
+description = 'Backup AWS access key ID'
+
+
+# Consul backup
+
+[secrets."backup/consul/backup_restic_password"]
+type = 'user'
+description = 'Restic password to encrypt backups'
+
+[secrets."backup/consul/backup_aws_secret_access_key"]
+type = 'user'
+description = 'Backup AWS secret access key'
+
+[secrets."backup/consul/backup_restic_repository"]
+type = 'user'
+description = 'Restic repository'
+example = 's3:https://s3.garage.tld'
+
+[secrets."backup/consul/backup_aws_access_key_id"]
+type = 'user'
+description = 'Backup AWS access key ID'
+
+
+# Postgresql backup
+
+[secrets."backup/psql/aws_secret_access_key"]
+type = 'user'
+description = 'Minio secret key'
+
+[secrets."backup/psql/aws_access_key_id"]
+type = 'user'
+description = 'Minio access key'
+
+[secrets."backup/psql/crypt_public_key"]
+type = 'user'
+description = 'A public key to encypt backups with age'
+
+[secrets."backup/psql/crypt_private_key"]
+type = 'user'
+description = 'a private key to decript backups from age'
+
+
+# SSH target config (do we still use this?)
+
+[secrets."backup/target_ssh_host"]
+type = 'user'
+description = 'Hostname of the backup target host'
+
+[secrets."backup/target_ssh_port"]
+type = 'user'
+description = 'SSH port number to connect to the target host'
+
+[secrets."backup/target_ssh_dir"]
+type = 'user'
+description = 'Directory where to store backups on target host'
+
+[secrets."backup/target_ssh_user"]
+type = 'user'
+description = 'SSH username to log in as on the target host'
+
+[secrets."backup/target_ssh_fingerprint"]
+type = 'user'
+description = 'SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)'
+
+[secrets."backup/id_ed25519"]
+type = 'user'
+multiline = true
+description = 'Private ed25519 key of the container doing the backup'
+
+[secrets."backup/id_ed25519.pub"]
+type = 'user'
+description = 'Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)'
+
diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_access_key_id b/cluster/prod/app/backup/secrets/backup/consul/backup_aws_access_key_id
deleted file mode 100644
index 9235e53..0000000
--- a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_access_key_id
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS access key ID
diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_secret_access_key b/cluster/prod/app/backup/secrets/backup/consul/backup_aws_secret_access_key
deleted file mode 100644
index f34677e..0000000
--- a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_secret_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS secret access key
diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_password b/cluster/prod/app/backup/secrets/backup/consul/backup_restic_password
deleted file mode 100644
index fbaa5fa..0000000
--- a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_password
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic password to encrypt backups
diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_repository b/cluster/prod/app/backup/secrets/backup/consul/backup_restic_repository
deleted file mode 100644
index 3f6cb93..0000000
--- a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_repository
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic repository, eg. s3:https://s3.garage.tld
diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_access_key_id b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_access_key_id
deleted file mode 100644
index 9235e53..0000000
--- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_access_key_id
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS access key ID
diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_secret_access_key b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_secret_access_key
deleted file mode 100644
index f34677e..0000000
--- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_secret_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS secret access key
diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_password b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_password
deleted file mode 100644
index fbaa5fa..0000000
--- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_password
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic password to encrypt backups
diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_repository b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_repository
deleted file mode 100644
index 3f6cb93..0000000
--- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_repository
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic repository, eg. s3:https://s3.garage.tld
diff --git a/cluster/prod/app/backup/secrets/backup/id_ed25519 b/cluster/prod/app/backup/secrets/backup/id_ed25519
deleted file mode 100644
index 9d7fd46..0000000
--- a/cluster/prod/app/backup/secrets/backup/id_ed25519
+++ /dev/null
@@ -1 +0,0 @@
-USER_LONG Private ed25519 key of the container doing the backup
diff --git a/cluster/prod/app/backup/secrets/backup/id_ed25519.pub b/cluster/prod/app/backup/secrets/backup/id_ed25519.pub
deleted file mode 100644
index 0a2ab35..0000000
--- a/cluster/prod/app/backup/secrets/backup/id_ed25519.pub
+++ /dev/null
@@ -1 +0,0 @@
-USER Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)
diff --git a/cluster/prod/app/backup/secrets/backup/psql/aws_access_key_id b/cluster/prod/app/backup/secrets/backup/psql/aws_access_key_id
deleted file mode 100644
index 82375d7..0000000
--- a/cluster/prod/app/backup/secrets/backup/psql/aws_access_key_id
+++ /dev/null
@@ -1 +0,0 @@
-USER Minio access key
diff --git a/cluster/prod/app/backup/secrets/backup/psql/aws_secret_access_key b/cluster/prod/app/backup/secrets/backup/psql/aws_secret_access_key
deleted file mode 100644
index de5090c..0000000
--- a/cluster/prod/app/backup/secrets/backup/psql/aws_secret_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Minio secret key
diff --git a/cluster/prod/app/backup/secrets/backup/psql/crypt_private_key b/cluster/prod/app/backup/secrets/backup/psql/crypt_private_key
deleted file mode 100644
index 4abece9..0000000
--- a/cluster/prod/app/backup/secrets/backup/psql/crypt_private_key
+++ /dev/null
@@ -1 +0,0 @@
-USER a private key to decript backups from age
diff --git a/cluster/prod/app/backup/secrets/backup/psql/crypt_public_key b/cluster/prod/app/backup/secrets/backup/psql/crypt_public_key
deleted file mode 100644
index 156ad47..0000000
--- a/cluster/prod/app/backup/secrets/backup/psql/crypt_public_key
+++ /dev/null
@@ -1 +0,0 @@
-USER A public key to encypt backups with age
diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_dir b/cluster/prod/app/backup/secrets/backup/target_ssh_dir
deleted file mode 100644
index 3b2a4da..0000000
--- a/cluster/prod/app/backup/secrets/backup/target_ssh_dir
+++ /dev/null
@@ -1 +0,0 @@
-USER Directory where to store backups on target host
diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_fingerprint b/cluster/prod/app/backup/secrets/backup/target_ssh_fingerprint
deleted file mode 100644
index 608f3ec..0000000
--- a/cluster/prod/app/backup/secrets/backup/target_ssh_fingerprint
+++ /dev/null
@@ -1 +0,0 @@
-USER SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)
diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_host b/cluster/prod/app/backup/secrets/backup/target_ssh_host
deleted file mode 100644
index 6268f87..0000000
--- a/cluster/prod/app/backup/secrets/backup/target_ssh_host
+++ /dev/null
@@ -1 +0,0 @@
-USER Hostname of the backup target host
diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_port b/cluster/prod/app/backup/secrets/backup/target_ssh_port
deleted file mode 100644
index 309dd38..0000000
--- a/cluster/prod/app/backup/secrets/backup/target_ssh_port
+++ /dev/null
@@ -1 +0,0 @@
-USER SSH port number to connect to the target host
diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_user b/cluster/prod/app/backup/secrets/backup/target_ssh_user
deleted file mode 100644
index 98b3046..0000000
--- a/cluster/prod/app/backup/secrets/backup/target_ssh_user
+++ /dev/null
@@ -1 +0,0 @@
-USER SSH username to log in as on the target host
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-20 02:45:48 +0000