diff options
author | Alex <alex@adnab.me> | 2023-01-01 18:47:34 +0000 |
---|---|---|
committer | Alex <alex@adnab.me> | 2023-01-01 18:47:34 +0000 |
commit | 3847c081817d93e75ec9ef8d53d2961e13df74c3 (patch) | |
tree | bd820bfda887f355fe1e56f8a1418c9353c59eb2 /cluster/prod | |
parent | ad6db2f1c502898e92fe377510dcf58b2d5ce6c9 (diff) | |
parent | 0d8c6a2d45c7b6bbb86f2d4268423578f0995894 (diff) | |
download | nixcfg-3847c081817d93e75ec9ef8d53d2961e13df74c3.tar.gz nixcfg-3847c081817d93e75ec9ef8d53d2961e13df74c3.zip |
Merge pull request 'updated version of secretmgr' (#5) from new-secretmgr into main
Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/nixcfg/pulls/5
Diffstat (limited to 'cluster/prod')
115 files changed, 405 insertions, 160 deletions
diff --git a/cluster/prod/app/backup/secrets.toml b/cluster/prod/app/backup/secrets.toml new file mode 100644 index 0000000..91794ae --- /dev/null +++ b/cluster/prod/app/backup/secrets.toml @@ -0,0 +1,92 @@ +# Cryptpad backup + +[secrets."backup/cryptpad/backup_restic_password"] +type = 'user' +description = 'Restic password to encrypt backups' + +[secrets."backup/cryptpad/backup_aws_secret_access_key"] +type = 'user' +description = 'Backup AWS secret access key' + +[secrets."backup/cryptpad/backup_restic_repository"] +type = 'user' +description = 'Restic repository' +example = 's3:https://s3.garage.tld' + +[secrets."backup/cryptpad/backup_aws_access_key_id"] +type = 'user' +description = 'Backup AWS access key ID' + + +# Consul backup + +[secrets."backup/consul/backup_restic_password"] +type = 'user' +description = 'Restic password to encrypt backups' + +[secrets."backup/consul/backup_aws_secret_access_key"] +type = 'user' +description = 'Backup AWS secret access key' + +[secrets."backup/consul/backup_restic_repository"] +type = 'user' +description = 'Restic repository' +example = 's3:https://s3.garage.tld' + +[secrets."backup/consul/backup_aws_access_key_id"] +type = 'user' +description = 'Backup AWS access key ID' + + +# Postgresql backup + +[secrets."postgres/backup/aws_access_key_id"] +type = 'user' +description = 'Minio access key' + +[secrets."postgres/backup/aws_secret_access_key"] +type = 'user' +description = 'Minio secret key' + +[secrets."postgres/backup/crypt_public_key"] +type = 'user' +description = 'A public key to encypt backups with age' + + +# Plume backup + +[secrets."plume/backup_restic_repository"] +type = 'user' +description = 'Restic repository' +example = 's3:https://s3.garage.tld' + +[secrets."plume/backup_restic_password"] +type = 'user' +description = 'Restic password to encrypt backups' + +[secrets."plume/backup_aws_secret_access_key"] +type = 'user' +description = 'Backup AWS secret access key' + +[secrets."plume/backup_aws_access_key_id"] +type = 'user' +description = 'Backup AWS access key ID' + + +# Dovecot backup + +[secrets."email/dovecot/backup_restic_password"] +type = 'user' +description = 'Restic backup password to encrypt data' + +[secrets."email/dovecot/backup_aws_secret_access_key"] +type = 'user' +description = 'AWS Secret Access key' + +[secrets."email/dovecot/backup_restic_repository"] +type = 'user' +description = 'Restic Repository URL, check op_guide/backup-minio to see the format' + +[secrets."email/dovecot/backup_aws_access_key_id"] +type = 'user' +description = 'AWS Acces Key ID' diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_access_key_id b/cluster/prod/app/backup/secrets/backup/consul/backup_aws_access_key_id deleted file mode 100644 index 9235e53..0000000 --- a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_access_key_id +++ /dev/null @@ -1 +0,0 @@ -USER Backup AWS access key ID diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_secret_access_key b/cluster/prod/app/backup/secrets/backup/consul/backup_aws_secret_access_key deleted file mode 100644 index f34677e..0000000 --- a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_secret_access_key +++ /dev/null @@ -1 +0,0 @@ -USER Backup AWS secret access key diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_password b/cluster/prod/app/backup/secrets/backup/consul/backup_restic_password deleted file mode 100644 index fbaa5fa..0000000 --- a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_password +++ /dev/null @@ -1 +0,0 @@ -USER Restic password to encrypt backups diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_repository b/cluster/prod/app/backup/secrets/backup/consul/backup_restic_repository deleted file mode 100644 index 3f6cb93..0000000 --- a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_repository +++ /dev/null @@ -1 +0,0 @@ -USER Restic repository, eg. s3:https://s3.garage.tld diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_access_key_id b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_access_key_id deleted file mode 100644 index 9235e53..0000000 --- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_access_key_id +++ /dev/null @@ -1 +0,0 @@ -USER Backup AWS access key ID diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_secret_access_key b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_secret_access_key deleted file mode 100644 index f34677e..0000000 --- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_secret_access_key +++ /dev/null @@ -1 +0,0 @@ -USER Backup AWS secret access key diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_password b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_password deleted file mode 100644 index fbaa5fa..0000000 --- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_password +++ /dev/null @@ -1 +0,0 @@ -USER Restic password to encrypt backups diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_repository b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_repository deleted file mode 100644 index 3f6cb93..0000000 --- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_repository +++ /dev/null @@ -1 +0,0 @@ -USER Restic repository, eg. s3:https://s3.garage.tld diff --git a/cluster/prod/app/backup/secrets/backup/id_ed25519 b/cluster/prod/app/backup/secrets/backup/id_ed25519 deleted file mode 100644 index 9d7fd46..0000000 --- a/cluster/prod/app/backup/secrets/backup/id_ed25519 +++ /dev/null @@ -1 +0,0 @@ -USER_LONG Private ed25519 key of the container doing the backup diff --git a/cluster/prod/app/backup/secrets/backup/id_ed25519.pub b/cluster/prod/app/backup/secrets/backup/id_ed25519.pub deleted file mode 100644 index 0a2ab35..0000000 --- a/cluster/prod/app/backup/secrets/backup/id_ed25519.pub +++ /dev/null @@ -1 +0,0 @@ -USER Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host) diff --git a/cluster/prod/app/backup/secrets/backup/psql/aws_access_key_id b/cluster/prod/app/backup/secrets/backup/psql/aws_access_key_id deleted file mode 100644 index 82375d7..0000000 --- a/cluster/prod/app/backup/secrets/backup/psql/aws_access_key_id +++ /dev/null @@ -1 +0,0 @@ -USER Minio access key diff --git a/cluster/prod/app/backup/secrets/backup/psql/aws_secret_access_key b/cluster/prod/app/backup/secrets/backup/psql/aws_secret_access_key deleted file mode 100644 index de5090c..0000000 --- a/cluster/prod/app/backup/secrets/backup/psql/aws_secret_access_key +++ /dev/null @@ -1 +0,0 @@ -USER Minio secret key diff --git a/cluster/prod/app/backup/secrets/backup/psql/crypt_private_key b/cluster/prod/app/backup/secrets/backup/psql/crypt_private_key deleted file mode 100644 index 4abece9..0000000 --- a/cluster/prod/app/backup/secrets/backup/psql/crypt_private_key +++ /dev/null @@ -1 +0,0 @@ -USER a private key to decript backups from age diff --git a/cluster/prod/app/backup/secrets/backup/psql/crypt_public_key b/cluster/prod/app/backup/secrets/backup/psql/crypt_public_key deleted file mode 100644 index 156ad47..0000000 --- a/cluster/prod/app/backup/secrets/backup/psql/crypt_public_key +++ /dev/null @@ -1 +0,0 @@ -USER A public key to encypt backups with age diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_dir b/cluster/prod/app/backup/secrets/backup/target_ssh_dir deleted file mode 100644 index 3b2a4da..0000000 --- a/cluster/prod/app/backup/secrets/backup/target_ssh_dir +++ /dev/null @@ -1 +0,0 @@ -USER Directory where to store backups on target host diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_fingerprint b/cluster/prod/app/backup/secrets/backup/target_ssh_fingerprint deleted file mode 100644 index 608f3ec..0000000 --- a/cluster/prod/app/backup/secrets/backup/target_ssh_fingerprint +++ /dev/null @@ -1 +0,0 @@ -USER SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file) diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_host b/cluster/prod/app/backup/secrets/backup/target_ssh_host deleted file mode 100644 index 6268f87..0000000 --- a/cluster/prod/app/backup/secrets/backup/target_ssh_host +++ /dev/null @@ -1 +0,0 @@ -USER Hostname of the backup target host diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_port b/cluster/prod/app/backup/secrets/backup/target_ssh_port deleted file mode 100644 index 309dd38..0000000 --- a/cluster/prod/app/backup/secrets/backup/target_ssh_port +++ /dev/null @@ -1 +0,0 @@ -USER SSH port number to connect to the target host diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_user b/cluster/prod/app/backup/secrets/backup/target_ssh_user deleted file mode 100644 index 98b3046..0000000 --- a/cluster/prod/app/backup/secrets/backup/target_ssh_user +++ /dev/null @@ -1 +0,0 @@ -USER SSH username to log in as on the target host diff --git a/cluster/prod/app/core/secrets.toml b/cluster/prod/app/core/secrets.toml new file mode 100644 index 0000000..736c9dd --- /dev/null +++ b/cluster/prod/app/core/secrets.toml @@ -0,0 +1,5 @@ +[secrets."directory/ldap_base_dn"] +type = 'user' +description = 'LDAP base DN for everything' +example = 'dc=example,dc=com' + diff --git a/cluster/prod/app/core/secrets/directory/ldap_base_dn b/cluster/prod/app/core/secrets/directory/ldap_base_dn deleted file mode 100644 index ea5c7ae..0000000 --- a/cluster/prod/app/core/secrets/directory/ldap_base_dn +++ /dev/null @@ -1 +0,0 @@ -USER LDAP base DN for everything (e.g. dc=example,dc=com) diff --git a/cluster/prod/app/drone-ci/secrets.toml b/cluster/prod/app/drone-ci/secrets.toml new file mode 100644 index 0000000..ac07926 --- /dev/null +++ b/cluster/prod/app/drone-ci/secrets.toml @@ -0,0 +1,48 @@ +# Drone's secrets + +[secrets."drone-ci/rpc_secret"] +type = 'command' +command = 'openssl rand -hex 16' +# don't rotate, it would break all runners + +[secrets."drone-ci/cookie_secret"] +type = 'command' +rotate = true +command = 'openssl rand -hex 16' + +[secrets."drone-ci/db_enc_secret"] +type = 'command' +command = 'openssl rand -hex 16' +# don't rotate, it is used to encrypt data which we would lose if we change this + + +# Oauth config for gitea + +[secrets."drone-ci/oauth_client_secret"] +type = 'user' +description = 'OAuth client secret (for gitea)' + +[secrets."drone-ci/oauth_client_id"] +type = 'user' +description = 'OAuth client ID (on Gitea)' + + +# S3 config for Git LFS storage + +[secrets."drone-ci/s3_db_bucket"] +type = 'constant' +value = 'drone-db' + +[secrets."drone-ci/s3_sk"] +type = 'user' +description = 'S3 (garage) secret key for Drone' + +[secrets."drone-ci/s3_ak"] +type = 'user' +description = 'S3 (garage) access key for Drone' + +[secrets."drone-ci/s3_storage_bucket"] +type = 'constant' +value = 'drone-storage' + + diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/cookie_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/cookie_secret deleted file mode 100644 index 04c819e..0000000 --- a/cluster/prod/app/drone-ci/secrets/drone-ci/cookie_secret +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -hex 16 diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/db_enc_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/db_enc_secret deleted file mode 100644 index 3f9e696..0000000 --- a/cluster/prod/app/drone-ci/secrets/drone-ci/db_enc_secret +++ /dev/null @@ -1 +0,0 @@ -CMD_ONCE openssl rand -hex 16 diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_id b/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_id deleted file mode 100644 index c801b28..0000000 --- a/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_id +++ /dev/null @@ -1 +0,0 @@ -USER OAuth client ID (on Gitea) diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_secret deleted file mode 100644 index b79b688..0000000 --- a/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_secret +++ /dev/null @@ -1 +0,0 @@ -USER OAuth client secret (for gitea) diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/rpc_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/rpc_secret deleted file mode 100644 index 04c819e..0000000 --- a/cluster/prod/app/drone-ci/secrets/drone-ci/rpc_secret +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -hex 16 diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_ak b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_ak deleted file mode 100644 index 3a8e4a2..0000000 --- a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_ak +++ /dev/null @@ -1 +0,0 @@ -USER S3 (garage) access key for Drone diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_db_bucket b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_db_bucket deleted file mode 100644 index c36f17d..0000000 --- a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_db_bucket +++ /dev/null @@ -1 +0,0 @@ -CONST drone-db diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_sk b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_sk deleted file mode 100644 index 46fd9fa..0000000 --- a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_sk +++ /dev/null @@ -1 +0,0 @@ -USER S3 (garage) secret key for Drone diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_storage_bucket b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_storage_bucket deleted file mode 100644 index ca2702c..0000000 --- a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_storage_bucket +++ /dev/null @@ -1 +0,0 @@ -CONST drone-storage diff --git a/cluster/prod/app/email/config/dovecot/certs.gen b/cluster/prod/app/email/config/dovecot/certs.gen deleted file mode 100755 index f26e917..0000000 --- a/cluster/prod/app/email/config/dovecot/certs.gen +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr" -openssl req \ - -new \ - -newkey rsa:4096 \ - -days 3650 \ - -nodes \ - -x509 \ - -subj ${TLSINFO} \ - -keyout dovecot.key \ - -out dovecot.crt - diff --git a/cluster/prod/app/email/config/postfix/certs.gen b/cluster/prod/app/email/config/postfix/certs.gen deleted file mode 100755 index f25439b..0000000 --- a/cluster/prod/app/email/config/postfix/certs.gen +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" -openssl req \ - -new \ - -newkey rsa:4096 \ - -days 3650 \ - -nodes \ - -x509 \ - -subj ${TLSINFO} \ - -keyout postfix.key \ - -out postfix.crt - diff --git a/cluster/prod/app/email/deploy/email.hcl b/cluster/prod/app/email/deploy/email.hcl index 7925975..84f4c3b 100644 --- a/cluster/prod/app/email/deploy/email.hcl +++ b/cluster/prod/app/email/deploy/email.hcl @@ -150,13 +150,11 @@ job "email" { # ----- secrets ------ template { - # data = "{{ key \"secrets/email/dovecot/dovecot.crt\" }}" data = "{{ with $d := key \"tricot/certs/imap.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}" destination = "secrets/ssl/certs/dovecot.crt" perms = "400" } template { - # data = "{{ key \"secrets/email/dovecot/dovecot.key\" }}" data = "{{ with $d := key \"tricot/certs/imap.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}" destination = "secrets/ssl/private/dovecot.key" perms = "400" @@ -381,14 +379,12 @@ job "email" { # --- secrets --- template { - # data = "{{ key \"secrets/email/postfix/postfix.crt\" }}" data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}" destination = "secrets/ssl/postfix.crt" perms = "400" } template { - # data = "{{ key \"secrets/email/postfix/postfix.key\" }}" data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}" destination = "secrets/ssl/postfix.key" perms = "400" diff --git a/cluster/prod/app/email/secrets.toml b/cluster/prod/app/email/secrets.toml new file mode 100644 index 0000000..6263e33 --- /dev/null +++ b/cluster/prod/app/email/secrets.toml @@ -0,0 +1,23 @@ +# ---- POSTFIX ---- + +[secrets."email/dkim/smtp.private"] +type = 'RSA_PRIVATE_KEY' +name = 'dkim' + +# ---- DOVECOT ---- + +[service_users."dovecot"] +dn_secret = "email/dovecot/ldap_binddn" +password_secret = "email/dovecot/ldap_bindpwd" + + +# ---- SOGO ---- + +[service_users."sogo"] +dn_secret = "email/sogo/ldap_binddn" +password_secret = "email/sogo/ldap_bindpw" + +[secrets."email/sogo/postgre_auth"] +type = 'user' +description = 'SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)' + diff --git a/cluster/prod/app/email/secrets/email/dkim/smtp.private b/cluster/prod/app/email/secrets/email/dkim/smtp.private deleted file mode 100644 index 3aa3621..0000000 --- a/cluster/prod/app/email/secrets/email/dkim/smtp.private +++ /dev/null @@ -1 +0,0 @@ -RSA_PRIVATE_KEY dkim diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id b/cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id deleted file mode 100644 index 9ae6adf..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id +++ /dev/null @@ -1 +0,0 @@ -USER AWS Acces Key ID diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key b/cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key deleted file mode 100644 index ac95906..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key +++ /dev/null @@ -1 +0,0 @@ -USER AWS Secret Access key diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_password b/cluster/prod/app/email/secrets/email/dovecot/backup_restic_password deleted file mode 100644 index c19a4a3..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_password +++ /dev/null @@ -1 +0,0 @@ -USER Restic backup password to encrypt data diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository b/cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository deleted file mode 100644 index 0434a15..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository +++ /dev/null @@ -1 +0,0 @@ -USER Restic Repository URL, check op_guide/backup-minio to see the format diff --git a/cluster/prod/app/email/secrets/email/dovecot/dovecot.crt b/cluster/prod/app/email/secrets/email/dovecot/dovecot.crt deleted file mode 100644 index 7229cfc..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/dovecot.crt +++ /dev/null @@ -1 +0,0 @@ -SSL_CERT dovecot deuxfleurs.fr diff --git a/cluster/prod/app/email/secrets/email/dovecot/dovecot.key b/cluster/prod/app/email/secrets/email/dovecot/dovecot.key deleted file mode 100644 index 0d42c79..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/dovecot.key +++ /dev/null @@ -1 +0,0 @@ -SSL_KEY dovecot diff --git a/cluster/prod/app/email/secrets/email/dovecot/ldap_binddn b/cluster/prod/app/email/secrets/email/dovecot/ldap_binddn deleted file mode 100644 index da380f2..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/ldap_binddn +++ /dev/null @@ -1 +0,0 @@ -SERVICE_DN dovecot Dovecot IMAP server diff --git a/cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd b/cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd deleted file mode 100644 index 068f663..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd +++ /dev/null @@ -1 +0,0 @@ -SERVICE_PASSWORD dovecot diff --git a/cluster/prod/app/email/secrets/email/postfix/postfix.crt b/cluster/prod/app/email/secrets/email/postfix/postfix.crt deleted file mode 100644 index f004d67..0000000 --- a/cluster/prod/app/email/secrets/email/postfix/postfix.crt +++ /dev/null @@ -1 +0,0 @@ -SSL_CERT postfix deuxfleurs.fr diff --git a/cluster/prod/app/email/secrets/email/postfix/postfix.key b/cluster/prod/app/email/secrets/email/postfix/postfix.key deleted file mode 100644 index 2cf1706..0000000 --- a/cluster/prod/app/email/secrets/email/postfix/postfix.key +++ /dev/null @@ -1 +0,0 @@ -SSL_KEY postfix diff --git a/cluster/prod/app/email/secrets/email/sogo/ldap_binddn b/cluster/prod/app/email/secrets/email/sogo/ldap_binddn deleted file mode 100644 index df627d3..0000000 --- a/cluster/prod/app/email/secrets/email/sogo/ldap_binddn +++ /dev/null @@ -1 +0,0 @@ -SERVICE_DN sogo SoGo email frontend diff --git a/cluster/prod/app/email/secrets/email/sogo/ldap_bindpw b/cluster/prod/app/email/secrets/email/sogo/ldap_bindpw deleted file mode 100644 index 8d2f35b..0000000 --- a/cluster/prod/app/email/secrets/email/sogo/ldap_bindpw +++ /dev/null @@ -1 +0,0 @@ -SERVICE_PASSWORD sogo diff --git a/cluster/prod/app/email/secrets/email/sogo/postgre_auth b/cluster/prod/app/email/secrets/email/sogo/postgre_auth deleted file mode 100644 index 4f66253..0000000 --- a/cluster/prod/app/email/secrets/email/sogo/postgre_auth +++ /dev/null @@ -1 +0,0 @@ -USER SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template) diff --git a/cluster/prod/app/garage/secrets.toml b/cluster/prod/app/garage/secrets.toml new file mode 100644 index 0000000..e616091 --- /dev/null +++ b/cluster/prod/app/garage/secrets.toml @@ -0,0 +1,14 @@ +[secrets."garage/rpc_secret"] +type = 'command' +command = 'openssl rand -hex 32' +# can't auto-rotate, because we still have some nodes outside of Nomad + +[secrets."garage/admin_token"] +type = 'command' +command = 'openssl rand -hex 32' +rotate = true + +[secrets."garage/metrics_token"] +type = 'command' +command = 'openssl rand -hex 32' +rotate = true diff --git a/cluster/prod/app/garage/secrets/garage/admin_token b/cluster/prod/app/garage/secrets/garage/admin_token deleted file mode 100644 index d831d53..0000000 --- a/cluster/prod/app/garage/secrets/garage/admin_token +++ /dev/null @@ -1 +0,0 @@ -CMD_ONCE openssl rand -hex 32 diff --git a/cluster/prod/app/garage/secrets/garage/metrics_token b/cluster/prod/app/garage/secrets/garage/metrics_token deleted file mode 100644 index d831d53..0000000 --- a/cluster/prod/app/garage/secrets/garage/metrics_token +++ /dev/null @@ -1 +0,0 @@ -CMD_ONCE openssl rand -hex 32 diff --git a/cluster/prod/app/garage/secrets/garage/rpc_secret b/cluster/prod/app/garage/secrets/garage/rpc_secret deleted file mode 100644 index d831d53..0000000 --- a/cluster/prod/app/garage/secrets/garage/rpc_secret +++ /dev/null @@ -1 +0,0 @@ -CMD_ONCE openssl rand -hex 32 diff --git a/cluster/prod/app/guichet/secrets.toml b/cluster/prod/app/guichet/secrets.toml new file mode 100644 index 0000000..d614b27 --- /dev/null +++ b/cluster/prod/app/guichet/secrets.toml @@ -0,0 +1,51 @@ +# General configuration + +[secrets."directory/guichet/web_hostname"] +type = 'user' +description = 'Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)' + + +# Mailing configuration + +[secrets."directory/guichet/smtp_user"] +type = 'user' +description = 'SMTP username' + +[secrets."directory/guichet/smtp_pass"] +type = 'user' +description = 'SMTP password' + +[secrets."directory/guichet/smtp_server"] +type = 'user' +description = 'SMTP server address (hostname:port)' + +[secrets."directory/guichet/mail_from"] +type = 'user' +description = 'E-mail address from which to send welcome emails to new users' + +[secrets."directory/guichet/mail_domain"] +type = 'user' +description = 'E-mail domain for new users (e.g. example.com)' + + +# S3 configuration + +[secrets."directory/guichet/s3_endpoint"] +type = 'user' +description = 'S3 endpoint URL' + +[secrets."directory/guichet/s3_bucket"] +type = 'user' +description = 'S3 bucket in which to store data files (such as profile pictures)' + +[secrets."directory/guichet/s3_region"] +type = 'user' +description = 'S3 region' + +[secrets."directory/guichet/s3_access_key"] +type = 'user' +description = 'Garage access key for Guichet profile pictures' + +[secrets."directory/guichet/s3_secret_key"] +type = 'user' +description = 'Garage secret key for Guichet profile pictures' diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/mail_domain b/cluster/prod/app/guichet/secrets/directory/guichet/mail_domain deleted file mode 100644 index 5db1ba3..0000000 --- a/cluster/prod/app/guichet/secrets/directory/guichet/mail_domain +++ /dev/null @@ -1 +0,0 @@ -USER E-mail domain for new users (e.g. example.com) diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/mail_from b/cluster/prod/app/guichet/secrets/directory/guichet/mail_from deleted file mode 100644 index 9075cbf..0000000 --- a/cluster/prod/app/guichet/secrets/directory/guichet/mail_from +++ /dev/null @@ -1 +0,0 @@ -USER E-mail address from which to send welcome emails to new users diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/s3_access_key b/cluster/prod/app/guichet/secrets/directory/guichet/s3_access_key deleted file mode 100644 index e5b37ff..0000000 --- a/cluster/prod/app/guichet/secrets/directory/guichet/s3_access_key +++ /dev/null @@ -1 +0,0 @@ -USER Garage access key for Guichet profile pictures diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/s3_bucket b/cluster/prod/app/guichet/secrets/directory/guichet/s3_bucket deleted file mode 100644 index cb059cf..0000000 --- a/cluster/prod/app/guichet/secrets/directory/guichet/s3_bucket +++ /dev/null @@ -1 +0,0 @@ -USER S3 bucket in which to store data files (such as profile pictures) diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/s3_endpoint b/cluster/prod/app/guichet/secrets/directory/guichet/s3_endpoint deleted file mode 100644 index b414269..0000000 --- a/cluster/prod/app/guichet/secrets/directory/guichet/s3_endpoint +++ /dev/null @@ -1 +0,0 @@ -USER S3 endpoint URL diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/s3_region b/cluster/prod/app/guichet/secrets/directory/guichet/s3_region deleted file mode 100644 index ef16924..0000000 --- a/cluster/prod/app/guichet/secrets/directory/guichet/s3_region +++ /dev/null @@ -1 +0,0 @@ -USER S3 region diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/s3_secret_key b/cluster/prod/app/guichet/secrets/directory/guichet/s3_secret_key deleted file mode 100644 index f3e7f0f..0000000 --- a/cluster/prod/app/guichet/secrets/directory/guichet/s3_secret_key +++ /dev/null @@ -1 +0,0 @@ -USER Garage secret key for Guichet profile pictures diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_pass b/cluster/prod/app/guichet/secrets/directory/guichet/smtp_pass deleted file mode 100644 index fc9d1e3..0000000 --- a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_pass +++ /dev/null @@ -1 +0,0 @@ -USER SMTP password diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_server b/cluster/prod/app/guichet/secrets/directory/guichet/smtp_server deleted file mode 100644 index c453935..0000000 --- a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_server +++ /dev/null @@ -1 +0,0 @@ -USER SMTP server address (hostname:port) diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_user b/cluster/prod/app/guichet/secrets/directory/guichet/smtp_user deleted file mode 100644 index c9c8bd0..0000000 --- a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_user +++ /dev/null @@ -1 +0,0 @@ -USER SMTP username diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/web_hostname b/cluster/prod/app/guichet/secrets/directory/guichet/web_hostname deleted file mode 100644 index afe2512..0000000 --- a/cluster/prod/app/guichet/secrets/directory/guichet/web_hostname +++ /dev/null @@ -1 +0,0 @@ -USER Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com) diff --git a/cluster/prod/app/jitsi/secrets.toml b/cluster/prod/app/jitsi/secrets.toml new file mode 100644 index 0000000..cb6126f --- /dev/null +++ b/cluster/prod/app/jitsi/secrets.toml @@ -0,0 +1,36 @@ +# Jitsi secrets + +[secrets."jitsi/jvb_pass"] +type = 'command' +rotate = true +command = 'openssl rand -base64 24' + +[secrets."jitsi/jicofo_pass"] +type = 'command' +rotate = true +command = 'openssl rand -base64 24' + + +# SSL: Jitsi + +[secrets."jitsi/jitsi.crt"] +type = 'SSL_CERT' +name = 'jitsi' +cert_domains = "['jitsi']" + +[secrets."jitsi/jitsi.key"] +type = 'SSL_KEY' +name = 'jitsi' + + +# SSL: Jitsi auth + +[secrets."jitsi/auth.jitsi.crt"] +type = 'SSL_CERT' +name = 'jitsi_auth' +cert_domains = "['auth.jitsi']" + +[secrets."jitsi/auth.jitsi.key"] +type = 'SSL_KEY' +name = 'jitsi_auth' + diff --git a/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.crt b/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.crt deleted file mode 100644 index f4ab925..0000000 --- a/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.crt +++ /dev/null @@ -1 +0,0 @@ -SSL_CERT jitsi_auth auth.jitsi diff --git a/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.key b/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.key deleted file mode 100644 index 82e7b6b..0000000 --- a/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.key +++ /dev/null @@ -1 +0,0 @@ -SSL_KEY jitsi_auth auth.jitsi diff --git a/cluster/prod/app/jitsi/secrets/jitsi/jicofo_pass b/cluster/prod/app/jitsi/secrets/jitsi/jicofo_pass deleted file mode 100644 index 6a0f5fc..0000000 --- a/cluster/prod/app/jitsi/secrets/jitsi/jicofo_pass +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -base64 24 diff --git a/cluster/prod/app/jitsi/secrets/jitsi/jitsi.crt b/cluster/prod/app/jitsi/secrets/jitsi/jitsi.crt deleted file mode 100644 index 2eed97c..0000000 --- a/cluster/prod/app/jitsi/secrets/jitsi/jitsi.crt +++ /dev/null @@ -1 +0,0 @@ -SSL_CERT jitsi jitsi diff --git a/cluster/prod/app/jitsi/secrets/jitsi/jitsi.key b/cluster/prod/app/jitsi/secrets/jitsi/jitsi.key deleted file mode 100644 index af53ca0..0000000 --- a/cluster/prod/app/jitsi/secrets/jitsi/jitsi.key +++ /dev/null @@ -1 +0,0 @@ -SSL_KEY jitsi jitsi diff --git a/cluster/prod/app/jitsi/secrets/jitsi/jvb_pass b/cluster/prod/app/jitsi/secrets/jitsi/jvb_pass deleted file mode 100644 index 6a0f5fc..0000000 --- a/cluster/prod/app/jitsi/secrets/jitsi/jvb_pass +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -base64 24 diff --git a/cluster/prod/app/matrix/config/synapse/homeserver.yaml b/cluster/prod/app/matrix/config/synapse/homeserver.yaml index b4b7c67..48ae431 100644 --- a/cluster/prod/app/matrix/config/synapse/homeserver.yaml +++ b/cluster/prod/app/matrix/config/synapse/homeserver.yaml @@ -1,22 +1,6 @@ # vim:ft=yaml server_name: "deuxfleurs.fr" -# PEM encoded X509 certificate for TLS. -# You can replace the self-signed certificate that synapse -# autogenerates on launch with your own SSL certificate + key pair -# if you like. Any required intermediary certificates can be -# appended after the primary certificate in hierarchical order. -tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt" - -# PEM encoded private key for TLS -tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key" - -# PEM dh parameters for ephemeral keys -tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh" - -# Don't bind to the https port -no_tls: True - ## Server ## diff --git a/cluster/prod/app/matrix/deploy/im.hcl b/cluster/prod/app/matrix/deploy/im.hcl index bd28feb..339fea7 100644 --- a/cluster/prod/app/matrix/deploy/im.hcl +++ b/cluster/prod/app/matrix/deploy/im.hcl @@ -55,21 +55,6 @@ job "matrix" { # --- secrets --- template { - data = "{{ key \"secrets/chat/synapse/homeserver.tls.crt\" }}" - destination = "secrets/conf/homeserver.tls.crt" - } - - template { - data = "{{ key \"secrets/chat/synapse/homeserver.tls.dh\" }}" - destination = "secrets/conf/homeserver.tls.dh" - } - - template { - data = "{{ key \"secrets/chat/synapse/homeserver.tls.key\" }}" - destination = "secrets/conf/homeserver.tls.key" - } - - template { data = "{{ key \"secrets/chat/synapse/homeserver.signing.key\" }}" destination = "secrets/conf/homeserver.signing.key" } diff --git a/cluster/prod/app/matrix/secrets.toml b/cluster/prod/app/matrix/secrets.toml new file mode 100644 index 0000000..8cd1572 --- /dev/null +++ b/cluster/prod/app/matrix/secrets.toml @@ -0,0 +1,81 @@ +[service_users."matrix"] +description = 'Matrix service user' +dn_secret = 'chat/synapse/ldap_binddn' +password_secret = 'chat/synapse/ldap_bindpw' + + +# Postgresql DB + +[secrets."chat/synapse/postgres_db"] +type = 'user' +description = 'Synapse PostgrSQL database name' +example = 'synapse' + +[secrets."chat/synapse/postgres_user"] +type = 'service_username' +service = 'matrix' + +[secrets."chat/synapse/postgres_pwd"] +type = 'service_password' +service = 'matrix' + + +# S3 access + +[secrets."chat/synapse/s3_access_key"] +type = 'user' +description = 'S3 access key ID for Matrix bucket' + +[secrets."chat/synapse/s3_secret_key"] +type = 'user' +description = 'S3 secret access key for Matrix bucket' + + +# Keys & stuff + +[secrets."chat/synapse/homeserver.signing.key"] +type = 'user' +description = 'Synapse homeserver ed25519 signing key' + +[secrets."chat/synapse/registration_shared_secret"] +type = 'command' +rotate = true +command = 'head -c 32 /dev/urandom | base64' + + +# ===== OLD STUFF, KEPT FOR REFERENCE ==== + +# ----------- COTURN ----------- + +# [secrets."chat/coturn/static-auth"] +# type = 'user' +# description = 'coturn static-auth (what is this?)' +# +# [secrets."chat/coturn/static_auth_secret_zinzdev"] +# type = 'user' +# description = "Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification." + + +# ----------- EASYBRIDGE ----------- + +# [service_users."easybridge"] +# description = 'Easybridge service user' +# password_secret = 'chat/easybridge/db_pass' +# username_secret = 'chat/easybridge/db_user' +# +# +# [secrets."chat/easybridge/as_token"] +# type = 'command' +# rotate = true +# command = 'openssl rand -hex 32' +# +# [secrets."chat/easybridge/web_session_key"] +# type = 'command' +# rotate = true +# command = 'openssl rand -hex 32' +# +# [secrets."chat/easybridge/hs_token"] +# type = 'command' +# rotate = true +# command = 'openssl rand -hex 32' +# diff --git a/cluster/prod/app/matrix/secrets/chat/coturn/static-auth b/cluster/prod/app/matrix/secrets/chat/coturn/static-auth deleted file mode 100644 index 43628ef..0000000 --- a/cluster/prod/app/matrix/secrets/chat/coturn/static-auth +++ /dev/null @@ -1 +0,0 @@ -USER coturn static-auth (what is this?) diff --git a/cluster/prod/app/matrix/secrets/chat/coturn/static_auth_secret_zinzdev b/cluster/prod/app/matrix/secrets/chat/coturn/static_auth_secret_zinzdev deleted file mode 100644 index c61486d..0000000 --- a/cluster/prod/app/matrix/secrets/chat/coturn/static_auth_secret_zinzdev +++ /dev/null @@ -1 +0,0 @@ -USER Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification.
\ No newline at end of file diff --git a/cluster/prod/app/matrix/secrets/chat/easybridge/as_token b/cluster/prod/app/matrix/secrets/chat/easybridge/as_token deleted file mode 100644 index 5fa4e3c..0000000 --- a/cluster/prod/app/matrix/secrets/chat/easybridge/as_token +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -hex 32 diff --git a/cluster/prod/app/matrix/secrets/chat/easybridge/db_pass b/cluster/prod/app/matrix/secrets/chat/easybridge/db_pass deleted file mode 100644 index 7e1f94b..0000000 --- a/cluster/prod/app/matrix/secrets/chat/easybridge/db_pass +++ /dev/null @@ -1 +0,0 @@ -SERVICE_PASSWORD easybridge diff --git a/cluster/prod/app/matrix/secrets/chat/easybridge/db_user b/cluster/prod/app/matrix/secrets/chat/easybridge/db_user deleted file mode 100644 index 436267c..0000000 --- a/cluster/prod/app/matrix/secrets/chat/easybridge/db_user +++ /dev/null @@ -1 +0,0 @@ -CONST easybridge diff --git a/cluster/prod/app/matrix/secrets/chat/easybridge/hs_token b/cluster/prod/app/matrix/secrets/chat/easybridge/hs_token deleted file mode 100644 index 5fa4e3c..0000000 --- a/cluster/prod/app/matrix/secrets/chat/easybridge/hs_token +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -hex 32 diff --git a/cluster/prod/app/matrix/secrets/chat/easybridge/web_session_key b/cluster/prod/app/matrix/secrets/chat/easybridge/web_session_key deleted file mode 100644 index 614bed7..0000000 --- a/cluster/prod/app/matrix/secrets/chat/easybridge/web_session_key +++ /dev/null @@ -1,2 +0,0 @@ -CMD openssl rand -hex 32 - diff --git a/cluster/prod/app/matrix/secrets/chat/fb2mx/as_token b/cluster/prod/app/matrix/secrets/chat/fb2mx/as_token deleted file mode 100644 index 5fa4e3c..0000000 --- a/cluster/prod/app/matrix/secrets/chat/fb2mx/as_token +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -hex 32 diff --git a/cluster/prod/app/matrix/secrets/chat/fb2mx/db_url b/cluster/prod/app/matrix/secrets/chat/fb2mx/db_url deleted file mode 100644 index f06e265..0000000 --- a/cluster/prod/app/matrix/secrets/chat/fb2mx/db_url +++ /dev/null @@ -1 +0,0 @@ -USER fb2mx database URL, format: postgres://username:password@hostname/dbname diff --git a/cluster/prod/app/matrix/secrets/chat/fb2mx/hs_token b/cluster/prod/app/matrix/secrets/chat/fb2mx/hs_token deleted file mode 100644 index 5fa4e3c..0000000 --- a/cluster/prod/app/matrix/secrets/chat/fb2mx/hs_token +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -hex 32 diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.signing.key b/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.signing.key deleted file mode 100644 index 099bd18..0000000 --- a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.signing.key +++ /dev/null @@ -1 +0,0 @@ -USER Synapse homeserver ed25519 signing key diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.crt b/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.crt deleted file mode 100644 index b696093..0000000 --- a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.crt +++ /dev/null @@ -1 +0,0 @@ -SSL_CERT synapse im.deuxfleurs.fr diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.dh b/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.dh deleted file mode 100644 index 0231fed..0000000 --- a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.dh +++ /dev/null @@ -1 +0,0 @@ -USER_LONG DH parameters for matrix ssl key? how does this work? diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.key b/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.key deleted file mode 100644 index feee544..0000000 --- a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.key +++ /dev/null @@ -1 +0,0 @@ -SSL_KEY synapse im.deuxfleurs.fr diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/ldap_binddn b/cluster/prod/app/matrix/secrets/chat/synapse/ldap_binddn deleted file mode 100644 index 2631bef..0000000 --- a/cluster/prod/app/matrix/secrets/chat/synapse/ldap_binddn +++ /dev/null @@ -1 +0,0 @@ -SERVICE_DN matrix Matrix chat server diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/ldap_bindpw b/cluster/prod/app/matrix/secrets/chat/synapse/ldap_bindpw deleted file mode 100644 index ba07446..0000000 --- a/cluster/prod/app/matrix/secrets/chat/synapse/ldap_bindpw +++ /dev/null @@ -1 +0,0 @@ -SERVICE_PASSWORD matrix diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_db b/cluster/prod/app/matrix/secrets/chat/synapse/postgres_db deleted file mode 100644 index 74eefa7..0000000 --- a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_db +++ /dev/null @@ -1 +0,0 @@ -CONST synapse diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_pwd b/cluster/prod/app/matrix/secrets/chat/synapse/postgres_pwd deleted file mode 100644 index ba07446..0000000 --- a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_pwd +++ /dev/null @@ -1 +0,0 @@ -SERVICE_PASSWORD matrix diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_user b/cluster/prod/app/matrix/secrets/chat/synapse/postgres_user deleted file mode 100644 index b08e86a..0000000 --- a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_user +++ /dev/null @@ -1 +0,0 @@ -CONST matrix diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/registration_shared_secret b/cluster/prod/app/matrix/secrets/chat/synapse/registration_shared_secret deleted file mode 100644 index b82f191..0000000 --- a/cluster/prod/app/matrix/secrets/chat/synapse/registration_shared_secret +++ /dev/null @@ -1 +0,0 @@ -CMD head -c 32 /dev/urandom | base64 diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/s3_access_key b/cluster/prod/app/matrix/secrets/chat/synapse/s3_access_key deleted file mode 100644 index ab09a8e..0000000 --- a/cluster/prod/app/matrix/secrets/chat/synapse/s3_access_key +++ /dev/null @@ -1 +0,0 @@ -USER matrix diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/s3_secret_key b/cluster/prod/app/matrix/secrets/chat/synapse/s3_secret_key deleted file mode 100644 index ab09a8e..0000000 --- a/cluster/prod/app/matrix/secrets/chat/synapse/s3_secret_key +++ /dev/null @@ -1 +0,0 @@ -USER matrix diff --git a/cluster/prod/app/plume/secrets.toml b/cluster/prod/app/plume/secrets.toml new file mode 100644 index 0000000..4d68a5c --- /dev/null +++ b/cluster/prod/app/plume/secrets.toml @@ -0,0 +1,10 @@ +[service_user."plume"] +password_secret = "plume/pgsql_pw" + + +[secrets."plume/secret_key"] +type = 'command' +rotate = true +command = 'openssl rand -base64 32' + + diff --git a/cluster/prod/app/plume/secrets/plume/backup_aws_access_key_id b/cluster/prod/app/plume/secrets/plume/backup_aws_access_key_id deleted file mode 100644 index 9235e53..0000000 --- a/cluster/prod/app/plume/secrets/plume/backup_aws_access_key_id +++ /dev/null @@ -1 +0,0 @@ -USER Backup AWS access key ID diff --git a/cluster/prod/app/plume/secrets/plume/backup_aws_secret_access_key b/cluster/prod/app/plume/secrets/plume/backup_aws_secret_access_key deleted file mode 100644 index f34677e..0000000 --- a/cluster/prod/app/plume/secrets/plume/backup_aws_secret_access_key +++ /dev/null @@ -1 +0,0 @@ -USER Backup AWS secret access key diff --git a/cluster/prod/app/plume/secrets/plume/backup_restic_password b/cluster/prod/app/plume/secrets/plume/backup_restic_password deleted file mode 100644 index fbaa5fa..0000000 --- a/cluster/prod/app/plume/secrets/plume/backup_restic_password +++ /dev/null @@ -1 +0,0 @@ -USER Restic password to encrypt backups diff --git a/cluster/prod/app/plume/secrets/plume/backup_restic_repository b/cluster/prod/app/plume/secrets/plume/backup_restic_repository deleted file mode 100644 index 3f6cb93..0000000 --- a/cluster/prod/app/plume/secrets/plume/backup_restic_repository +++ /dev/null @@ -1 +0,0 @@ -USER Restic repository, eg. s3:https://s3.garage.tld diff --git a/cluster/prod/app/plume/secrets/plume/pgsql_pw b/cluster/prod/app/plume/secrets/plume/pgsql_pw deleted file mode 100644 index 0f831bb..0000000 --- a/cluster/prod/app/plume/secrets/plume/pgsql_pw +++ /dev/null @@ -1 +0,0 @@ -SERVICE_PASSWORD plume diff --git a/cluster/prod/app/plume/secrets/plume/secret_key b/cluster/prod/app/plume/secrets/plume/secret_key deleted file mode 100644 index 978be54..0000000 --- a/cluster/prod/app/plume/secrets/plume/secret_key +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -base64 32 diff --git a/cluster/prod/app/postgres/secrets.toml b/cluster/prod/app/postgres/secrets.toml new file mode 100644 index 0000000..537a72d --- /dev/null +++ b/cluster/prod/app/postgres/secrets.toml @@ -0,0 +1,10 @@ +[service_users."replicator"] +password_secret = "postgres/keeper/pg_repl_pwd" +username_secret = "postgres/keeper/pg_repl_username" + + +[secrets."postgres/keeper/pg_su_pwd"] +type = 'command' +command = 'openssl rand -base64 15' +description = 'postgres superuser password' + diff --git a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_pwd b/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_pwd deleted file mode 100644 index ae0c229..0000000 --- a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_pwd +++ /dev/null @@ -1 +0,0 @@ -SERVICE_PASSWORD replicator diff --git a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_username b/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_username deleted file mode 100644 index 58e6e46..0000000 --- a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_username +++ /dev/null @@ -1 +0,0 @@ -CONST replicator diff --git a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_su_pwd b/cluster/prod/app/postgres/secrets/postgres/keeper/pg_su_pwd deleted file mode 100644 index 907e2b8..0000000 --- a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_su_pwd +++ /dev/null @@ -1 +0,0 @@ -USER postgres superuser password diff --git a/cluster/prod/app/secretmgr b/cluster/prod/app/secretmgr deleted file mode 120000 index 6aff4ad..0000000 --- a/cluster/prod/app/secretmgr +++ /dev/null @@ -1 +0,0 @@ -../../../secretmgr/secretmgr
\ No newline at end of file diff --git a/cluster/prod/app/telemetry/secrets.toml b/cluster/prod/app/telemetry/secrets.toml new file mode 100644 index 0000000..763a14c --- /dev/null +++ b/cluster/prod/app/telemetry/secrets.toml @@ -0,0 +1,16 @@ +[secrets."telemetry/grafana/admin_password"] +type = 'command' +rotate = true +command = 'openssl rand -base64 12' + + +# S3 database storage access + +[secrets."telemetry/grafana/s3_access_key"] +type = 'user' +description = 'S3 access key for grafana db' + +[secrets."telemetry/grafana/s3_secret_key"] +type = 'user' +description = 'S3 secret key for grafana db' + diff --git a/cluster/prod/app/telemetry/secrets/telemetry/grafana/admin_password b/cluster/prod/app/telemetry/secrets/telemetry/grafana/admin_password deleted file mode 100644 index 2f36e97..0000000 --- a/cluster/prod/app/telemetry/secrets/telemetry/grafana/admin_password +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -base64 12 diff --git a/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_access_key b/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_access_key deleted file mode 100644 index c7e41a4..0000000 --- a/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_access_key +++ /dev/null @@ -1 +0,0 @@ -USER S3 access key for grafana db diff --git a/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_secret_key b/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_secret_key deleted file mode 100644 index 051f41a..0000000 --- a/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_secret_key +++ /dev/null @@ -1 +0,0 @@ -USER S3 secret key for grafana db diff --git a/cluster/prod/secretmgr.toml b/cluster/prod/secretmgr.toml new file mode 100644 index 0000000..ea540e5 --- /dev/null +++ b/cluster/prod/secretmgr.toml @@ -0,0 +1,19 @@ +[ldap] +server = "ldap://localhost:1389" +service_dn_suffix = "ou=services,ou=users,dc=deuxfleurs,dc=fr" +admin_dn = "cn=admin,dc=deuxfleurs,dc=org" + + +[user_values] +"directory/ldap_base_dn" = "dc=deuxfleurs,dc=fr" +"directory/guichet/web_hostname" = "guichet.deuxfleurs.fr" +"directory/guichet/mail_domain" = "deuxfleurs.fr" +"directory/guichet/s3_bucket" = "bottin-pictures" +"directory/guichet/s3_endpoint" = "garage.deuxfleurs.fr" +"directory/guichet/s3_region" = "garage" +# TODO: fix smtp server, use deuxfleurs' smtp + +"drone-ci/s3_db_bucket" = "drone-db" +"drone-ci/s3_storage_bucket" = "drone-storage" + +"chat/synapse/postgres_db" = "synapse2" |