aboutsummaryrefslogtreecommitdiff
path: root/cluster/prod/app
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2022-12-25 22:45:05 +0100
committerAlex Auvolat <alex@adnab.me>2022-12-25 22:45:05 +0100
commit8cee3b0043eda68d982e5359a0d009c83cbb85c4 (patch)
tree18cfe4a2988f22fd4884b7f79136778cc1e44e7b /cluster/prod/app
parent87bb031ed00b7993a29d74aee2e89875c5444caf (diff)
downloadnixcfg-8cee3b0043eda68d982e5359a0d009c83cbb85c4.tar.gz
nixcfg-8cee3b0043eda68d982e5359a0d009c83cbb85c4.zip
Update prod secret files
Diffstat (limited to 'cluster/prod/app')
-rw-r--r--cluster/prod/app/backup/secrets.toml52
-rw-r--r--cluster/prod/app/email/secrets.toml16
-rw-r--r--cluster/prod/app/matrix/secrets.toml71
-rw-r--r--cluster/prod/app/plume/secrets.toml19
4 files changed, 64 insertions, 94 deletions
diff --git a/cluster/prod/app/backup/secrets.toml b/cluster/prod/app/backup/secrets.toml
index 5d2b851..91794ae 100644
--- a/cluster/prod/app/backup/secrets.toml
+++ b/cluster/prod/app/backup/secrets.toml
@@ -40,51 +40,53 @@ description = 'Backup AWS access key ID'
# Postgresql backup
-[secrets."backup/psql/aws_secret_access_key"]
-type = 'user'
-description = 'Minio secret key'
-
-[secrets."backup/psql/aws_access_key_id"]
+[secrets."postgres/backup/aws_access_key_id"]
type = 'user'
description = 'Minio access key'
-[secrets."backup/psql/crypt_public_key"]
+[secrets."postgres/backup/aws_secret_access_key"]
type = 'user'
-description = 'A public key to encypt backups with age'
+description = 'Minio secret key'
-[secrets."backup/psql/crypt_private_key"]
+[secrets."postgres/backup/crypt_public_key"]
type = 'user'
-description = 'a private key to decript backups from age'
+description = 'A public key to encypt backups with age'
-# SSH target config (do we still use this?)
+# Plume backup
-[secrets."backup/target_ssh_host"]
+[secrets."plume/backup_restic_repository"]
type = 'user'
-description = 'Hostname of the backup target host'
+description = 'Restic repository'
+example = 's3:https://s3.garage.tld'
-[secrets."backup/target_ssh_port"]
+[secrets."plume/backup_restic_password"]
type = 'user'
-description = 'SSH port number to connect to the target host'
+description = 'Restic password to encrypt backups'
-[secrets."backup/target_ssh_dir"]
+[secrets."plume/backup_aws_secret_access_key"]
type = 'user'
-description = 'Directory where to store backups on target host'
+description = 'Backup AWS secret access key'
-[secrets."backup/target_ssh_user"]
+[secrets."plume/backup_aws_access_key_id"]
type = 'user'
-description = 'SSH username to log in as on the target host'
+description = 'Backup AWS access key ID'
-[secrets."backup/target_ssh_fingerprint"]
+
+# Dovecot backup
+
+[secrets."email/dovecot/backup_restic_password"]
type = 'user'
-description = 'SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)'
+description = 'Restic backup password to encrypt data'
-[secrets."backup/id_ed25519"]
+[secrets."email/dovecot/backup_aws_secret_access_key"]
type = 'user'
-multiline = true
-description = 'Private ed25519 key of the container doing the backup'
+description = 'AWS Secret Access key'
-[secrets."backup/id_ed25519.pub"]
+[secrets."email/dovecot/backup_restic_repository"]
type = 'user'
-description = 'Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)'
+description = 'Restic Repository URL, check op_guide/backup-minio to see the format'
+[secrets."email/dovecot/backup_aws_access_key_id"]
+type = 'user'
+description = 'AWS Acces Key ID'
diff --git a/cluster/prod/app/email/secrets.toml b/cluster/prod/app/email/secrets.toml
index 4efee49..95df626 100644
--- a/cluster/prod/app/email/secrets.toml
+++ b/cluster/prod/app/email/secrets.toml
@@ -30,22 +30,6 @@ name = 'dovecot'
cert_domains = "['deuxfleurs.fr']"
-[secrets."email/dovecot/backup_restic_password"]
-type = 'user'
-description = 'Restic backup password to encrypt data'
-
-[secrets."email/dovecot/backup_aws_secret_access_key"]
-type = 'user'
-description = 'AWS Secret Access key'
-
-[secrets."email/dovecot/backup_restic_repository"]
-type = 'user'
-description = 'Restic Repository URL, check op_guide/backup-minio to see the format'
-
-[secrets."email/dovecot/backup_aws_access_key_id"]
-type = 'user'
-description = 'AWS Acces Key ID'
-
# ---- SOGO ----
[service_users."sogo"]
diff --git a/cluster/prod/app/matrix/secrets.toml b/cluster/prod/app/matrix/secrets.toml
index 6e4f027..98b2ddb 100644
--- a/cluster/prod/app/matrix/secrets.toml
+++ b/cluster/prod/app/matrix/secrets.toml
@@ -7,8 +7,9 @@ password_secret = 'chat/synapse/ldap_bindpw'
# Postgresql DB
[secrets."chat/synapse/postgres_db"]
-type = 'constant'
-value = 'synapse'
+type = 'user'
+description = 'Synapse PostgrSQL database name'
+example = 'synapse'
[secrets."chat/synapse/postgres_user"]
type = 'service_username'
@@ -56,37 +57,39 @@ rotate = true
command = 'head -c 32 /dev/urandom | base64'
-# ----------- COTURN -----------
-
-[secrets."chat/coturn/static-auth"]
-type = 'user'
-description = 'coturn static-auth (what is this?)'
-
-[secrets."chat/coturn/static_auth_secret_zinzdev"]
-type = 'user'
-description = "Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification."
-
-
-# ----------- EASYBRIDGE (we will remove this one day) -----------
-
-[service_users."easybridge"]
-description = 'Easybridge service user'
-password_secret = 'chat/easybridge/db_pass'
-username_secret = 'chat/easybridge/db_user'
-
+# ===== OLD STUFF, KEPT FOR REFERENCE ====
-[secrets."chat/easybridge/as_token"]
-type = 'command'
-rotate = true
-command = 'openssl rand -hex 32'
-
-[secrets."chat/easybridge/web_session_key"]
-type = 'command'
-rotate = true
-command = 'openssl rand -hex 32'
-
-[secrets."chat/easybridge/hs_token"]
-type = 'command'
-rotate = true
-command = 'openssl rand -hex 32'
+# ----------- COTURN -----------
+# [secrets."chat/coturn/static-auth"]
+# type = 'user'
+# description = 'coturn static-auth (what is this?)'
+#
+# [secrets."chat/coturn/static_auth_secret_zinzdev"]
+# type = 'user'
+# description = "Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification."
+
+
+# ----------- EASYBRIDGE -----------
+
+# [service_users."easybridge"]
+# description = 'Easybridge service user'
+# password_secret = 'chat/easybridge/db_pass'
+# username_secret = 'chat/easybridge/db_user'
+#
+#
+# [secrets."chat/easybridge/as_token"]
+# type = 'command'
+# rotate = true
+# command = 'openssl rand -hex 32'
+#
+# [secrets."chat/easybridge/web_session_key"]
+# type = 'command'
+# rotate = true
+# command = 'openssl rand -hex 32'
+#
+# [secrets."chat/easybridge/hs_token"]
+# type = 'command'
+# rotate = true
+# command = 'openssl rand -hex 32'
+#
diff --git a/cluster/prod/app/plume/secrets.toml b/cluster/prod/app/plume/secrets.toml
index a445979..4d68a5c 100644
--- a/cluster/prod/app/plume/secrets.toml
+++ b/cluster/prod/app/plume/secrets.toml
@@ -8,22 +8,3 @@ rotate = true
command = 'openssl rand -base64 32'
-# Plume backup
-
-[secrets."plume/backup_restic_repository"]
-type = 'user'
-description = 'Restic repository'
-example = 's3:https://s3.garage.tld'
-
-[secrets."plume/backup_restic_password"]
-type = 'user'
-description = 'Restic password to encrypt backups'
-
-[secrets."plume/backup_aws_secret_access_key"]
-type = 'user'
-description = 'Backup AWS secret access key'
-
-[secrets."plume/backup_aws_access_key_id"]
-type = 'user'
-description = 'Backup AWS access key ID'
-