aboutsummaryrefslogtreecommitdiff
path: root/cluster/prod
diff options
context:
space:
mode:
authorAlex <alex@adnab.me>2023-01-01 18:47:34 +0000
committerAlex <alex@adnab.me>2023-01-01 18:47:34 +0000
commit3847c081817d93e75ec9ef8d53d2961e13df74c3 (patch)
treebd820bfda887f355fe1e56f8a1418c9353c59eb2 /cluster/prod
parentad6db2f1c502898e92fe377510dcf58b2d5ce6c9 (diff)
parent0d8c6a2d45c7b6bbb86f2d4268423578f0995894 (diff)
downloadnixcfg-3847c081817d93e75ec9ef8d53d2961e13df74c3.tar.gz
nixcfg-3847c081817d93e75ec9ef8d53d2961e13df74c3.zip
Merge pull request 'updated version of secretmgr' (#5) from new-secretmgr into main
Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/nixcfg/pulls/5
Diffstat (limited to 'cluster/prod')
-rw-r--r--cluster/prod/app/backup/secrets.toml92
-rw-r--r--cluster/prod/app/backup/secrets/backup/consul/backup_aws_access_key_id1
-rw-r--r--cluster/prod/app/backup/secrets/backup/consul/backup_aws_secret_access_key1
-rw-r--r--cluster/prod/app/backup/secrets/backup/consul/backup_restic_password1
-rw-r--r--cluster/prod/app/backup/secrets/backup/consul/backup_restic_repository1
-rw-r--r--cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_access_key_id1
-rw-r--r--cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_secret_access_key1
-rw-r--r--cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_password1
-rw-r--r--cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_repository1
-rw-r--r--cluster/prod/app/backup/secrets/backup/id_ed255191
-rw-r--r--cluster/prod/app/backup/secrets/backup/id_ed25519.pub1
-rw-r--r--cluster/prod/app/backup/secrets/backup/psql/aws_access_key_id1
-rw-r--r--cluster/prod/app/backup/secrets/backup/psql/aws_secret_access_key1
-rw-r--r--cluster/prod/app/backup/secrets/backup/psql/crypt_private_key1
-rw-r--r--cluster/prod/app/backup/secrets/backup/psql/crypt_public_key1
-rw-r--r--cluster/prod/app/backup/secrets/backup/target_ssh_dir1
-rw-r--r--cluster/prod/app/backup/secrets/backup/target_ssh_fingerprint1
-rw-r--r--cluster/prod/app/backup/secrets/backup/target_ssh_host1
-rw-r--r--cluster/prod/app/backup/secrets/backup/target_ssh_port1
-rw-r--r--cluster/prod/app/backup/secrets/backup/target_ssh_user1
-rw-r--r--cluster/prod/app/core/secrets.toml5
-rw-r--r--cluster/prod/app/core/secrets/directory/ldap_base_dn1
-rw-r--r--cluster/prod/app/drone-ci/secrets.toml48
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/cookie_secret1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/db_enc_secret1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_id1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_secret1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/rpc_secret1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/s3_ak1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/s3_db_bucket1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/s3_sk1
-rw-r--r--cluster/prod/app/drone-ci/secrets/drone-ci/s3_storage_bucket1
-rwxr-xr-xcluster/prod/app/email/config/dovecot/certs.gen13
-rwxr-xr-xcluster/prod/app/email/config/postfix/certs.gen13
-rw-r--r--cluster/prod/app/email/deploy/email.hcl4
-rw-r--r--cluster/prod/app/email/secrets.toml23
-rw-r--r--cluster/prod/app/email/secrets/email/dkim/smtp.private1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/backup_restic_password1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/dovecot.crt1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/dovecot.key1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/ldap_binddn1
-rw-r--r--cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd1
-rw-r--r--cluster/prod/app/email/secrets/email/postfix/postfix.crt1
-rw-r--r--cluster/prod/app/email/secrets/email/postfix/postfix.key1
-rw-r--r--cluster/prod/app/email/secrets/email/sogo/ldap_binddn1
-rw-r--r--cluster/prod/app/email/secrets/email/sogo/ldap_bindpw1
-rw-r--r--cluster/prod/app/email/secrets/email/sogo/postgre_auth1
-rw-r--r--cluster/prod/app/garage/secrets.toml14
-rw-r--r--cluster/prod/app/garage/secrets/garage/admin_token1
-rw-r--r--cluster/prod/app/garage/secrets/garage/metrics_token1
-rw-r--r--cluster/prod/app/garage/secrets/garage/rpc_secret1
-rw-r--r--cluster/prod/app/guichet/secrets.toml51
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/mail_domain1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/mail_from1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/s3_access_key1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/s3_bucket1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/s3_endpoint1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/s3_region1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/s3_secret_key1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/smtp_pass1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/smtp_server1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/smtp_user1
-rw-r--r--cluster/prod/app/guichet/secrets/directory/guichet/web_hostname1
-rw-r--r--cluster/prod/app/jitsi/secrets.toml36
-rw-r--r--cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.crt1
-rw-r--r--cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.key1
-rw-r--r--cluster/prod/app/jitsi/secrets/jitsi/jicofo_pass1
-rw-r--r--cluster/prod/app/jitsi/secrets/jitsi/jitsi.crt1
-rw-r--r--cluster/prod/app/jitsi/secrets/jitsi/jitsi.key1
-rw-r--r--cluster/prod/app/jitsi/secrets/jitsi/jvb_pass1
-rw-r--r--cluster/prod/app/matrix/config/synapse/homeserver.yaml16
-rw-r--r--cluster/prod/app/matrix/deploy/im.hcl15
-rw-r--r--cluster/prod/app/matrix/secrets.toml81
-rw-r--r--cluster/prod/app/matrix/secrets/chat/coturn/static-auth1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/coturn/static_auth_secret_zinzdev1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/easybridge/as_token1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/easybridge/db_pass1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/easybridge/db_user1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/easybridge/hs_token1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/easybridge/web_session_key2
-rw-r--r--cluster/prod/app/matrix/secrets/chat/fb2mx/as_token1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/fb2mx/db_url1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/fb2mx/hs_token1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/homeserver.signing.key1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.crt1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.dh1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.key1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/ldap_binddn1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/ldap_bindpw1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/postgres_db1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/postgres_pwd1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/postgres_user1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/registration_shared_secret1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/s3_access_key1
-rw-r--r--cluster/prod/app/matrix/secrets/chat/synapse/s3_secret_key1
-rw-r--r--cluster/prod/app/plume/secrets.toml10
-rw-r--r--cluster/prod/app/plume/secrets/plume/backup_aws_access_key_id1
-rw-r--r--cluster/prod/app/plume/secrets/plume/backup_aws_secret_access_key1
-rw-r--r--cluster/prod/app/plume/secrets/plume/backup_restic_password1
-rw-r--r--cluster/prod/app/plume/secrets/plume/backup_restic_repository1
-rw-r--r--cluster/prod/app/plume/secrets/plume/pgsql_pw1
-rw-r--r--cluster/prod/app/plume/secrets/plume/secret_key1
-rw-r--r--cluster/prod/app/postgres/secrets.toml10
-rw-r--r--cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_pwd1
-rw-r--r--cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_username1
-rw-r--r--cluster/prod/app/postgres/secrets/postgres/keeper/pg_su_pwd1
l---------cluster/prod/app/secretmgr1
-rw-r--r--cluster/prod/app/telemetry/secrets.toml16
-rw-r--r--cluster/prod/app/telemetry/secrets/telemetry/grafana/admin_password1
-rw-r--r--cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_access_key1
-rw-r--r--cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_secret_key1
-rw-r--r--cluster/prod/secretmgr.toml19
115 files changed, 405 insertions, 160 deletions
diff --git a/cluster/prod/app/backup/secrets.toml b/cluster/prod/app/backup/secrets.toml
new file mode 100644
index 0000000..91794ae
--- /dev/null
+++ b/cluster/prod/app/backup/secrets.toml
@@ -0,0 +1,92 @@
+# Cryptpad backup
+
+[secrets."backup/cryptpad/backup_restic_password"]
+type = 'user'
+description = 'Restic password to encrypt backups'
+
+[secrets."backup/cryptpad/backup_aws_secret_access_key"]
+type = 'user'
+description = 'Backup AWS secret access key'
+
+[secrets."backup/cryptpad/backup_restic_repository"]
+type = 'user'
+description = 'Restic repository'
+example = 's3:https://s3.garage.tld'
+
+[secrets."backup/cryptpad/backup_aws_access_key_id"]
+type = 'user'
+description = 'Backup AWS access key ID'
+
+
+# Consul backup
+
+[secrets."backup/consul/backup_restic_password"]
+type = 'user'
+description = 'Restic password to encrypt backups'
+
+[secrets."backup/consul/backup_aws_secret_access_key"]
+type = 'user'
+description = 'Backup AWS secret access key'
+
+[secrets."backup/consul/backup_restic_repository"]
+type = 'user'
+description = 'Restic repository'
+example = 's3:https://s3.garage.tld'
+
+[secrets."backup/consul/backup_aws_access_key_id"]
+type = 'user'
+description = 'Backup AWS access key ID'
+
+
+# Postgresql backup
+
+[secrets."postgres/backup/aws_access_key_id"]
+type = 'user'
+description = 'Minio access key'
+
+[secrets."postgres/backup/aws_secret_access_key"]
+type = 'user'
+description = 'Minio secret key'
+
+[secrets."postgres/backup/crypt_public_key"]
+type = 'user'
+description = 'A public key to encypt backups with age'
+
+
+# Plume backup
+
+[secrets."plume/backup_restic_repository"]
+type = 'user'
+description = 'Restic repository'
+example = 's3:https://s3.garage.tld'
+
+[secrets."plume/backup_restic_password"]
+type = 'user'
+description = 'Restic password to encrypt backups'
+
+[secrets."plume/backup_aws_secret_access_key"]
+type = 'user'
+description = 'Backup AWS secret access key'
+
+[secrets."plume/backup_aws_access_key_id"]
+type = 'user'
+description = 'Backup AWS access key ID'
+
+
+# Dovecot backup
+
+[secrets."email/dovecot/backup_restic_password"]
+type = 'user'
+description = 'Restic backup password to encrypt data'
+
+[secrets."email/dovecot/backup_aws_secret_access_key"]
+type = 'user'
+description = 'AWS Secret Access key'
+
+[secrets."email/dovecot/backup_restic_repository"]
+type = 'user'
+description = 'Restic Repository URL, check op_guide/backup-minio to see the format'
+
+[secrets."email/dovecot/backup_aws_access_key_id"]
+type = 'user'
+description = 'AWS Acces Key ID'
diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_access_key_id b/cluster/prod/app/backup/secrets/backup/consul/backup_aws_access_key_id
deleted file mode 100644
index 9235e53..0000000
--- a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_access_key_id
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS access key ID
diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_secret_access_key b/cluster/prod/app/backup/secrets/backup/consul/backup_aws_secret_access_key
deleted file mode 100644
index f34677e..0000000
--- a/cluster/prod/app/backup/secrets/backup/consul/backup_aws_secret_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS secret access key
diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_password b/cluster/prod/app/backup/secrets/backup/consul/backup_restic_password
deleted file mode 100644
index fbaa5fa..0000000
--- a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_password
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic password to encrypt backups
diff --git a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_repository b/cluster/prod/app/backup/secrets/backup/consul/backup_restic_repository
deleted file mode 100644
index 3f6cb93..0000000
--- a/cluster/prod/app/backup/secrets/backup/consul/backup_restic_repository
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic repository, eg. s3:https://s3.garage.tld
diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_access_key_id b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_access_key_id
deleted file mode 100644
index 9235e53..0000000
--- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_access_key_id
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS access key ID
diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_secret_access_key b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_secret_access_key
deleted file mode 100644
index f34677e..0000000
--- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_aws_secret_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS secret access key
diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_password b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_password
deleted file mode 100644
index fbaa5fa..0000000
--- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_password
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic password to encrypt backups
diff --git a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_repository b/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_repository
deleted file mode 100644
index 3f6cb93..0000000
--- a/cluster/prod/app/backup/secrets/backup/cryptpad/backup_restic_repository
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic repository, eg. s3:https://s3.garage.tld
diff --git a/cluster/prod/app/backup/secrets/backup/id_ed25519 b/cluster/prod/app/backup/secrets/backup/id_ed25519
deleted file mode 100644
index 9d7fd46..0000000
--- a/cluster/prod/app/backup/secrets/backup/id_ed25519
+++ /dev/null
@@ -1 +0,0 @@
-USER_LONG Private ed25519 key of the container doing the backup
diff --git a/cluster/prod/app/backup/secrets/backup/id_ed25519.pub b/cluster/prod/app/backup/secrets/backup/id_ed25519.pub
deleted file mode 100644
index 0a2ab35..0000000
--- a/cluster/prod/app/backup/secrets/backup/id_ed25519.pub
+++ /dev/null
@@ -1 +0,0 @@
-USER Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)
diff --git a/cluster/prod/app/backup/secrets/backup/psql/aws_access_key_id b/cluster/prod/app/backup/secrets/backup/psql/aws_access_key_id
deleted file mode 100644
index 82375d7..0000000
--- a/cluster/prod/app/backup/secrets/backup/psql/aws_access_key_id
+++ /dev/null
@@ -1 +0,0 @@
-USER Minio access key
diff --git a/cluster/prod/app/backup/secrets/backup/psql/aws_secret_access_key b/cluster/prod/app/backup/secrets/backup/psql/aws_secret_access_key
deleted file mode 100644
index de5090c..0000000
--- a/cluster/prod/app/backup/secrets/backup/psql/aws_secret_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Minio secret key
diff --git a/cluster/prod/app/backup/secrets/backup/psql/crypt_private_key b/cluster/prod/app/backup/secrets/backup/psql/crypt_private_key
deleted file mode 100644
index 4abece9..0000000
--- a/cluster/prod/app/backup/secrets/backup/psql/crypt_private_key
+++ /dev/null
@@ -1 +0,0 @@
-USER a private key to decript backups from age
diff --git a/cluster/prod/app/backup/secrets/backup/psql/crypt_public_key b/cluster/prod/app/backup/secrets/backup/psql/crypt_public_key
deleted file mode 100644
index 156ad47..0000000
--- a/cluster/prod/app/backup/secrets/backup/psql/crypt_public_key
+++ /dev/null
@@ -1 +0,0 @@
-USER A public key to encypt backups with age
diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_dir b/cluster/prod/app/backup/secrets/backup/target_ssh_dir
deleted file mode 100644
index 3b2a4da..0000000
--- a/cluster/prod/app/backup/secrets/backup/target_ssh_dir
+++ /dev/null
@@ -1 +0,0 @@
-USER Directory where to store backups on target host
diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_fingerprint b/cluster/prod/app/backup/secrets/backup/target_ssh_fingerprint
deleted file mode 100644
index 608f3ec..0000000
--- a/cluster/prod/app/backup/secrets/backup/target_ssh_fingerprint
+++ /dev/null
@@ -1 +0,0 @@
-USER SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)
diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_host b/cluster/prod/app/backup/secrets/backup/target_ssh_host
deleted file mode 100644
index 6268f87..0000000
--- a/cluster/prod/app/backup/secrets/backup/target_ssh_host
+++ /dev/null
@@ -1 +0,0 @@
-USER Hostname of the backup target host
diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_port b/cluster/prod/app/backup/secrets/backup/target_ssh_port
deleted file mode 100644
index 309dd38..0000000
--- a/cluster/prod/app/backup/secrets/backup/target_ssh_port
+++ /dev/null
@@ -1 +0,0 @@
-USER SSH port number to connect to the target host
diff --git a/cluster/prod/app/backup/secrets/backup/target_ssh_user b/cluster/prod/app/backup/secrets/backup/target_ssh_user
deleted file mode 100644
index 98b3046..0000000
--- a/cluster/prod/app/backup/secrets/backup/target_ssh_user
+++ /dev/null
@@ -1 +0,0 @@
-USER SSH username to log in as on the target host
diff --git a/cluster/prod/app/core/secrets.toml b/cluster/prod/app/core/secrets.toml
new file mode 100644
index 0000000..736c9dd
--- /dev/null
+++ b/cluster/prod/app/core/secrets.toml
@@ -0,0 +1,5 @@
+[secrets."directory/ldap_base_dn"]
+type = 'user'
+description = 'LDAP base DN for everything'
+example = 'dc=example,dc=com'
+
diff --git a/cluster/prod/app/core/secrets/directory/ldap_base_dn b/cluster/prod/app/core/secrets/directory/ldap_base_dn
deleted file mode 100644
index ea5c7ae..0000000
--- a/cluster/prod/app/core/secrets/directory/ldap_base_dn
+++ /dev/null
@@ -1 +0,0 @@
-USER LDAP base DN for everything (e.g. dc=example,dc=com)
diff --git a/cluster/prod/app/drone-ci/secrets.toml b/cluster/prod/app/drone-ci/secrets.toml
new file mode 100644
index 0000000..ac07926
--- /dev/null
+++ b/cluster/prod/app/drone-ci/secrets.toml
@@ -0,0 +1,48 @@
+# Drone's secrets
+
+[secrets."drone-ci/rpc_secret"]
+type = 'command'
+command = 'openssl rand -hex 16'
+# don't rotate, it would break all runners
+
+[secrets."drone-ci/cookie_secret"]
+type = 'command'
+rotate = true
+command = 'openssl rand -hex 16'
+
+[secrets."drone-ci/db_enc_secret"]
+type = 'command'
+command = 'openssl rand -hex 16'
+# don't rotate, it is used to encrypt data which we would lose if we change this
+
+
+# Oauth config for gitea
+
+[secrets."drone-ci/oauth_client_secret"]
+type = 'user'
+description = 'OAuth client secret (for gitea)'
+
+[secrets."drone-ci/oauth_client_id"]
+type = 'user'
+description = 'OAuth client ID (on Gitea)'
+
+
+# S3 config for Git LFS storage
+
+[secrets."drone-ci/s3_db_bucket"]
+type = 'constant'
+value = 'drone-db'
+
+[secrets."drone-ci/s3_sk"]
+type = 'user'
+description = 'S3 (garage) secret key for Drone'
+
+[secrets."drone-ci/s3_ak"]
+type = 'user'
+description = 'S3 (garage) access key for Drone'
+
+[secrets."drone-ci/s3_storage_bucket"]
+type = 'constant'
+value = 'drone-storage'
+
+
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/cookie_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/cookie_secret
deleted file mode 100644
index 04c819e..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/cookie_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 16
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/db_enc_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/db_enc_secret
deleted file mode 100644
index 3f9e696..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/db_enc_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD_ONCE openssl rand -hex 16
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_id b/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_id
deleted file mode 100644
index c801b28..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_id
+++ /dev/null
@@ -1 +0,0 @@
-USER OAuth client ID (on Gitea)
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_secret
deleted file mode 100644
index b79b688..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_secret
+++ /dev/null
@@ -1 +0,0 @@
-USER OAuth client secret (for gitea)
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/rpc_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/rpc_secret
deleted file mode 100644
index 04c819e..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/rpc_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 16
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_ak b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_ak
deleted file mode 100644
index 3a8e4a2..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_ak
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 (garage) access key for Drone
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_db_bucket b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_db_bucket
deleted file mode 100644
index c36f17d..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_db_bucket
+++ /dev/null
@@ -1 +0,0 @@
-CONST drone-db
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_sk b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_sk
deleted file mode 100644
index 46fd9fa..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_sk
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 (garage) secret key for Drone
diff --git a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_storage_bucket b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_storage_bucket
deleted file mode 100644
index ca2702c..0000000
--- a/cluster/prod/app/drone-ci/secrets/drone-ci/s3_storage_bucket
+++ /dev/null
@@ -1 +0,0 @@
-CONST drone-storage
diff --git a/cluster/prod/app/email/config/dovecot/certs.gen b/cluster/prod/app/email/config/dovecot/certs.gen
deleted file mode 100755
index f26e917..0000000
--- a/cluster/prod/app/email/config/dovecot/certs.gen
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-
-TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr"
-openssl req \
- -new \
- -newkey rsa:4096 \
- -days 3650 \
- -nodes \
- -x509 \
- -subj ${TLSINFO} \
- -keyout dovecot.key \
- -out dovecot.crt
-
diff --git a/cluster/prod/app/email/config/postfix/certs.gen b/cluster/prod/app/email/config/postfix/certs.gen
deleted file mode 100755
index f25439b..0000000
--- a/cluster/prod/app/email/config/postfix/certs.gen
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-
-TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr"
-openssl req \
- -new \
- -newkey rsa:4096 \
- -days 3650 \
- -nodes \
- -x509 \
- -subj ${TLSINFO} \
- -keyout postfix.key \
- -out postfix.crt
-
diff --git a/cluster/prod/app/email/deploy/email.hcl b/cluster/prod/app/email/deploy/email.hcl
index 7925975..84f4c3b 100644
--- a/cluster/prod/app/email/deploy/email.hcl
+++ b/cluster/prod/app/email/deploy/email.hcl
@@ -150,13 +150,11 @@ job "email" {
# ----- secrets ------
template {
- # data = "{{ key \"secrets/email/dovecot/dovecot.crt\" }}"
data = "{{ with $d := key \"tricot/certs/imap.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
destination = "secrets/ssl/certs/dovecot.crt"
perms = "400"
}
template {
- # data = "{{ key \"secrets/email/dovecot/dovecot.key\" }}"
data = "{{ with $d := key \"tricot/certs/imap.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
destination = "secrets/ssl/private/dovecot.key"
perms = "400"
@@ -381,14 +379,12 @@ job "email" {
# --- secrets ---
template {
- # data = "{{ key \"secrets/email/postfix/postfix.crt\" }}"
data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
destination = "secrets/ssl/postfix.crt"
perms = "400"
}
template {
- # data = "{{ key \"secrets/email/postfix/postfix.key\" }}"
data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
destination = "secrets/ssl/postfix.key"
perms = "400"
diff --git a/cluster/prod/app/email/secrets.toml b/cluster/prod/app/email/secrets.toml
new file mode 100644
index 0000000..6263e33
--- /dev/null
+++ b/cluster/prod/app/email/secrets.toml
@@ -0,0 +1,23 @@
+# ---- POSTFIX ----
+
+[secrets."email/dkim/smtp.private"]
+type = 'RSA_PRIVATE_KEY'
+name = 'dkim'
+
+# ---- DOVECOT ----
+
+[service_users."dovecot"]
+dn_secret = "email/dovecot/ldap_binddn"
+password_secret = "email/dovecot/ldap_bindpwd"
+
+
+# ---- SOGO ----
+
+[service_users."sogo"]
+dn_secret = "email/sogo/ldap_binddn"
+password_secret = "email/sogo/ldap_bindpw"
+
+[secrets."email/sogo/postgre_auth"]
+type = 'user'
+description = 'SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)'
+
diff --git a/cluster/prod/app/email/secrets/email/dkim/smtp.private b/cluster/prod/app/email/secrets/email/dkim/smtp.private
deleted file mode 100644
index 3aa3621..0000000
--- a/cluster/prod/app/email/secrets/email/dkim/smtp.private
+++ /dev/null
@@ -1 +0,0 @@
-RSA_PRIVATE_KEY dkim
diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id b/cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id
deleted file mode 100644
index 9ae6adf..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id
+++ /dev/null
@@ -1 +0,0 @@
-USER AWS Acces Key ID
diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key b/cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key
deleted file mode 100644
index ac95906..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER AWS Secret Access key
diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_password b/cluster/prod/app/email/secrets/email/dovecot/backup_restic_password
deleted file mode 100644
index c19a4a3..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_password
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic backup password to encrypt data
diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository b/cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository
deleted file mode 100644
index 0434a15..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic Repository URL, check op_guide/backup-minio to see the format
diff --git a/cluster/prod/app/email/secrets/email/dovecot/dovecot.crt b/cluster/prod/app/email/secrets/email/dovecot/dovecot.crt
deleted file mode 100644
index 7229cfc..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/dovecot.crt
+++ /dev/null
@@ -1 +0,0 @@
-SSL_CERT dovecot deuxfleurs.fr
diff --git a/cluster/prod/app/email/secrets/email/dovecot/dovecot.key b/cluster/prod/app/email/secrets/email/dovecot/dovecot.key
deleted file mode 100644
index 0d42c79..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/dovecot.key
+++ /dev/null
@@ -1 +0,0 @@
-SSL_KEY dovecot
diff --git a/cluster/prod/app/email/secrets/email/dovecot/ldap_binddn b/cluster/prod/app/email/secrets/email/dovecot/ldap_binddn
deleted file mode 100644
index da380f2..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/ldap_binddn
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_DN dovecot Dovecot IMAP server
diff --git a/cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd b/cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd
deleted file mode 100644
index 068f663..0000000
--- a/cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_PASSWORD dovecot
diff --git a/cluster/prod/app/email/secrets/email/postfix/postfix.crt b/cluster/prod/app/email/secrets/email/postfix/postfix.crt
deleted file mode 100644
index f004d67..0000000
--- a/cluster/prod/app/email/secrets/email/postfix/postfix.crt
+++ /dev/null
@@ -1 +0,0 @@
-SSL_CERT postfix deuxfleurs.fr
diff --git a/cluster/prod/app/email/secrets/email/postfix/postfix.key b/cluster/prod/app/email/secrets/email/postfix/postfix.key
deleted file mode 100644
index 2cf1706..0000000
--- a/cluster/prod/app/email/secrets/email/postfix/postfix.key
+++ /dev/null
@@ -1 +0,0 @@
-SSL_KEY postfix
diff --git a/cluster/prod/app/email/secrets/email/sogo/ldap_binddn b/cluster/prod/app/email/secrets/email/sogo/ldap_binddn
deleted file mode 100644
index df627d3..0000000
--- a/cluster/prod/app/email/secrets/email/sogo/ldap_binddn
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_DN sogo SoGo email frontend
diff --git a/cluster/prod/app/email/secrets/email/sogo/ldap_bindpw b/cluster/prod/app/email/secrets/email/sogo/ldap_bindpw
deleted file mode 100644
index 8d2f35b..0000000
--- a/cluster/prod/app/email/secrets/email/sogo/ldap_bindpw
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_PASSWORD sogo
diff --git a/cluster/prod/app/email/secrets/email/sogo/postgre_auth b/cluster/prod/app/email/secrets/email/sogo/postgre_auth
deleted file mode 100644
index 4f66253..0000000
--- a/cluster/prod/app/email/secrets/email/sogo/postgre_auth
+++ /dev/null
@@ -1 +0,0 @@
-USER SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)
diff --git a/cluster/prod/app/garage/secrets.toml b/cluster/prod/app/garage/secrets.toml
new file mode 100644
index 0000000..e616091
--- /dev/null
+++ b/cluster/prod/app/garage/secrets.toml
@@ -0,0 +1,14 @@
+[secrets."garage/rpc_secret"]
+type = 'command'
+command = 'openssl rand -hex 32'
+# can't auto-rotate, because we still have some nodes outside of Nomad
+
+[secrets."garage/admin_token"]
+type = 'command'
+command = 'openssl rand -hex 32'
+rotate = true
+
+[secrets."garage/metrics_token"]
+type = 'command'
+command = 'openssl rand -hex 32'
+rotate = true
diff --git a/cluster/prod/app/garage/secrets/garage/admin_token b/cluster/prod/app/garage/secrets/garage/admin_token
deleted file mode 100644
index d831d53..0000000
--- a/cluster/prod/app/garage/secrets/garage/admin_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD_ONCE openssl rand -hex 32
diff --git a/cluster/prod/app/garage/secrets/garage/metrics_token b/cluster/prod/app/garage/secrets/garage/metrics_token
deleted file mode 100644
index d831d53..0000000
--- a/cluster/prod/app/garage/secrets/garage/metrics_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD_ONCE openssl rand -hex 32
diff --git a/cluster/prod/app/garage/secrets/garage/rpc_secret b/cluster/prod/app/garage/secrets/garage/rpc_secret
deleted file mode 100644
index d831d53..0000000
--- a/cluster/prod/app/garage/secrets/garage/rpc_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD_ONCE openssl rand -hex 32
diff --git a/cluster/prod/app/guichet/secrets.toml b/cluster/prod/app/guichet/secrets.toml
new file mode 100644
index 0000000..d614b27
--- /dev/null
+++ b/cluster/prod/app/guichet/secrets.toml
@@ -0,0 +1,51 @@
+# General configuration
+
+[secrets."directory/guichet/web_hostname"]
+type = 'user'
+description = 'Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)'
+
+
+# Mailing configuration
+
+[secrets."directory/guichet/smtp_user"]
+type = 'user'
+description = 'SMTP username'
+
+[secrets."directory/guichet/smtp_pass"]
+type = 'user'
+description = 'SMTP password'
+
+[secrets."directory/guichet/smtp_server"]
+type = 'user'
+description = 'SMTP server address (hostname:port)'
+
+[secrets."directory/guichet/mail_from"]
+type = 'user'
+description = 'E-mail address from which to send welcome emails to new users'
+
+[secrets."directory/guichet/mail_domain"]
+type = 'user'
+description = 'E-mail domain for new users (e.g. example.com)'
+
+
+# S3 configuration
+
+[secrets."directory/guichet/s3_endpoint"]
+type = 'user'
+description = 'S3 endpoint URL'
+
+[secrets."directory/guichet/s3_bucket"]
+type = 'user'
+description = 'S3 bucket in which to store data files (such as profile pictures)'
+
+[secrets."directory/guichet/s3_region"]
+type = 'user'
+description = 'S3 region'
+
+[secrets."directory/guichet/s3_access_key"]
+type = 'user'
+description = 'Garage access key for Guichet profile pictures'
+
+[secrets."directory/guichet/s3_secret_key"]
+type = 'user'
+description = 'Garage secret key for Guichet profile pictures'
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/mail_domain b/cluster/prod/app/guichet/secrets/directory/guichet/mail_domain
deleted file mode 100644
index 5db1ba3..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/mail_domain
+++ /dev/null
@@ -1 +0,0 @@
-USER E-mail domain for new users (e.g. example.com)
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/mail_from b/cluster/prod/app/guichet/secrets/directory/guichet/mail_from
deleted file mode 100644
index 9075cbf..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/mail_from
+++ /dev/null
@@ -1 +0,0 @@
-USER E-mail address from which to send welcome emails to new users
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/s3_access_key b/cluster/prod/app/guichet/secrets/directory/guichet/s3_access_key
deleted file mode 100644
index e5b37ff..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/s3_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Garage access key for Guichet profile pictures
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/s3_bucket b/cluster/prod/app/guichet/secrets/directory/guichet/s3_bucket
deleted file mode 100644
index cb059cf..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/s3_bucket
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 bucket in which to store data files (such as profile pictures)
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/s3_endpoint b/cluster/prod/app/guichet/secrets/directory/guichet/s3_endpoint
deleted file mode 100644
index b414269..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/s3_endpoint
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 endpoint URL
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/s3_region b/cluster/prod/app/guichet/secrets/directory/guichet/s3_region
deleted file mode 100644
index ef16924..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/s3_region
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 region
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/s3_secret_key b/cluster/prod/app/guichet/secrets/directory/guichet/s3_secret_key
deleted file mode 100644
index f3e7f0f..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/s3_secret_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Garage secret key for Guichet profile pictures
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_pass b/cluster/prod/app/guichet/secrets/directory/guichet/smtp_pass
deleted file mode 100644
index fc9d1e3..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_pass
+++ /dev/null
@@ -1 +0,0 @@
-USER SMTP password
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_server b/cluster/prod/app/guichet/secrets/directory/guichet/smtp_server
deleted file mode 100644
index c453935..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_server
+++ /dev/null
@@ -1 +0,0 @@
-USER SMTP server address (hostname:port)
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_user b/cluster/prod/app/guichet/secrets/directory/guichet/smtp_user
deleted file mode 100644
index c9c8bd0..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/smtp_user
+++ /dev/null
@@ -1 +0,0 @@
-USER SMTP username
diff --git a/cluster/prod/app/guichet/secrets/directory/guichet/web_hostname b/cluster/prod/app/guichet/secrets/directory/guichet/web_hostname
deleted file mode 100644
index afe2512..0000000
--- a/cluster/prod/app/guichet/secrets/directory/guichet/web_hostname
+++ /dev/null
@@ -1 +0,0 @@
-USER Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)
diff --git a/cluster/prod/app/jitsi/secrets.toml b/cluster/prod/app/jitsi/secrets.toml
new file mode 100644
index 0000000..cb6126f
--- /dev/null
+++ b/cluster/prod/app/jitsi/secrets.toml
@@ -0,0 +1,36 @@
+# Jitsi secrets
+
+[secrets."jitsi/jvb_pass"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 24'
+
+[secrets."jitsi/jicofo_pass"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 24'
+
+
+# SSL: Jitsi
+
+[secrets."jitsi/jitsi.crt"]
+type = 'SSL_CERT'
+name = 'jitsi'
+cert_domains = "['jitsi']"
+
+[secrets."jitsi/jitsi.key"]
+type = 'SSL_KEY'
+name = 'jitsi'
+
+
+# SSL: Jitsi auth
+
+[secrets."jitsi/auth.jitsi.crt"]
+type = 'SSL_CERT'
+name = 'jitsi_auth'
+cert_domains = "['auth.jitsi']"
+
+[secrets."jitsi/auth.jitsi.key"]
+type = 'SSL_KEY'
+name = 'jitsi_auth'
+
diff --git a/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.crt b/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.crt
deleted file mode 100644
index f4ab925..0000000
--- a/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.crt
+++ /dev/null
@@ -1 +0,0 @@
-SSL_CERT jitsi_auth auth.jitsi
diff --git a/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.key b/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.key
deleted file mode 100644
index 82e7b6b..0000000
--- a/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.key
+++ /dev/null
@@ -1 +0,0 @@
-SSL_KEY jitsi_auth auth.jitsi
diff --git a/cluster/prod/app/jitsi/secrets/jitsi/jicofo_pass b/cluster/prod/app/jitsi/secrets/jitsi/jicofo_pass
deleted file mode 100644
index 6a0f5fc..0000000
--- a/cluster/prod/app/jitsi/secrets/jitsi/jicofo_pass
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 24
diff --git a/cluster/prod/app/jitsi/secrets/jitsi/jitsi.crt b/cluster/prod/app/jitsi/secrets/jitsi/jitsi.crt
deleted file mode 100644
index 2eed97c..0000000
--- a/cluster/prod/app/jitsi/secrets/jitsi/jitsi.crt
+++ /dev/null
@@ -1 +0,0 @@
-SSL_CERT jitsi jitsi
diff --git a/cluster/prod/app/jitsi/secrets/jitsi/jitsi.key b/cluster/prod/app/jitsi/secrets/jitsi/jitsi.key
deleted file mode 100644
index af53ca0..0000000
--- a/cluster/prod/app/jitsi/secrets/jitsi/jitsi.key
+++ /dev/null
@@ -1 +0,0 @@
-SSL_KEY jitsi jitsi
diff --git a/cluster/prod/app/jitsi/secrets/jitsi/jvb_pass b/cluster/prod/app/jitsi/secrets/jitsi/jvb_pass
deleted file mode 100644
index 6a0f5fc..0000000
--- a/cluster/prod/app/jitsi/secrets/jitsi/jvb_pass
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 24
diff --git a/cluster/prod/app/matrix/config/synapse/homeserver.yaml b/cluster/prod/app/matrix/config/synapse/homeserver.yaml
index b4b7c67..48ae431 100644
--- a/cluster/prod/app/matrix/config/synapse/homeserver.yaml
+++ b/cluster/prod/app/matrix/config/synapse/homeserver.yaml
@@ -1,22 +1,6 @@
# vim:ft=yaml
server_name: "deuxfleurs.fr"
-# PEM encoded X509 certificate for TLS.
-# You can replace the self-signed certificate that synapse
-# autogenerates on launch with your own SSL certificate + key pair
-# if you like. Any required intermediary certificates can be
-# appended after the primary certificate in hierarchical order.
-tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt"
-
-# PEM encoded private key for TLS
-tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key"
-
-# PEM dh parameters for ephemeral keys
-tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh"
-
-# Don't bind to the https port
-no_tls: True
-
## Server ##
diff --git a/cluster/prod/app/matrix/deploy/im.hcl b/cluster/prod/app/matrix/deploy/im.hcl
index bd28feb..339fea7 100644
--- a/cluster/prod/app/matrix/deploy/im.hcl
+++ b/cluster/prod/app/matrix/deploy/im.hcl
@@ -55,21 +55,6 @@ job "matrix" {
# --- secrets ---
template {
- data = "{{ key \"secrets/chat/synapse/homeserver.tls.crt\" }}"
- destination = "secrets/conf/homeserver.tls.crt"
- }
-
- template {
- data = "{{ key \"secrets/chat/synapse/homeserver.tls.dh\" }}"
- destination = "secrets/conf/homeserver.tls.dh"
- }
-
- template {
- data = "{{ key \"secrets/chat/synapse/homeserver.tls.key\" }}"
- destination = "secrets/conf/homeserver.tls.key"
- }
-
- template {
data = "{{ key \"secrets/chat/synapse/homeserver.signing.key\" }}"
destination = "secrets/conf/homeserver.signing.key"
}
diff --git a/cluster/prod/app/matrix/secrets.toml b/cluster/prod/app/matrix/secrets.toml
new file mode 100644
index 0000000..8cd1572
--- /dev/null
+++ b/cluster/prod/app/matrix/secrets.toml
@@ -0,0 +1,81 @@
+[service_users."matrix"]
+description = 'Matrix service user'
+dn_secret = 'chat/synapse/ldap_binddn'
+password_secret = 'chat/synapse/ldap_bindpw'
+
+
+# Postgresql DB
+
+[secrets."chat/synapse/postgres_db"]
+type = 'user'
+description = 'Synapse PostgrSQL database name'
+example = 'synapse'
+
+[secrets."chat/synapse/postgres_user"]
+type = 'service_username'
+service = 'matrix'
+
+[secrets."chat/synapse/postgres_pwd"]
+type = 'service_password'
+service = 'matrix'
+
+
+# S3 access
+
+[secrets."chat/synapse/s3_access_key"]
+type = 'user'
+description = 'S3 access key ID for Matrix bucket'
+
+[secrets."chat/synapse/s3_secret_key"]
+type = 'user'
+description = 'S3 secret access key for Matrix bucket'
+
+
+# Keys & stuff
+
+[secrets."chat/synapse/homeserver.signing.key"]
+type = 'user'
+description = 'Synapse homeserver ed25519 signing key'
+
+[secrets."chat/synapse/registration_shared_secret"]
+type = 'command'
+rotate = true
+command = 'head -c 32 /dev/urandom | base64'
+
+
+# ===== OLD STUFF, KEPT FOR REFERENCE ====
+
+# ----------- COTURN -----------
+
+# [secrets."chat/coturn/static-auth"]
+# type = 'user'
+# description = 'coturn static-auth (what is this?)'
+#
+# [secrets."chat/coturn/static_auth_secret_zinzdev"]
+# type = 'user'
+# description = "Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification."
+
+
+# ----------- EASYBRIDGE -----------
+
+# [service_users."easybridge"]
+# description = 'Easybridge service user'
+# password_secret = 'chat/easybridge/db_pass'
+# username_secret = 'chat/easybridge/db_user'
+#
+#
+# [secrets."chat/easybridge/as_token"]
+# type = 'command'
+# rotate = true
+# command = 'openssl rand -hex 32'
+#
+# [secrets."chat/easybridge/web_session_key"]
+# type = 'command'
+# rotate = true
+# command = 'openssl rand -hex 32'
+#
+# [secrets."chat/easybridge/hs_token"]
+# type = 'command'
+# rotate = true
+# command = 'openssl rand -hex 32'
+#
diff --git a/cluster/prod/app/matrix/secrets/chat/coturn/static-auth b/cluster/prod/app/matrix/secrets/chat/coturn/static-auth
deleted file mode 100644
index 43628ef..0000000
--- a/cluster/prod/app/matrix/secrets/chat/coturn/static-auth
+++ /dev/null
@@ -1 +0,0 @@
-USER coturn static-auth (what is this?)
diff --git a/cluster/prod/app/matrix/secrets/chat/coturn/static_auth_secret_zinzdev b/cluster/prod/app/matrix/secrets/chat/coturn/static_auth_secret_zinzdev
deleted file mode 100644
index c61486d..0000000
--- a/cluster/prod/app/matrix/secrets/chat/coturn/static_auth_secret_zinzdev
+++ /dev/null
@@ -1 +0,0 @@
-USER Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification. \ No newline at end of file
diff --git a/cluster/prod/app/matrix/secrets/chat/easybridge/as_token b/cluster/prod/app/matrix/secrets/chat/easybridge/as_token
deleted file mode 100644
index 5fa4e3c..0000000
--- a/cluster/prod/app/matrix/secrets/chat/easybridge/as_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 32
diff --git a/cluster/prod/app/matrix/secrets/chat/easybridge/db_pass b/cluster/prod/app/matrix/secrets/chat/easybridge/db_pass
deleted file mode 100644
index 7e1f94b..0000000
--- a/cluster/prod/app/matrix/secrets/chat/easybridge/db_pass
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_PASSWORD easybridge
diff --git a/cluster/prod/app/matrix/secrets/chat/easybridge/db_user b/cluster/prod/app/matrix/secrets/chat/easybridge/db_user
deleted file mode 100644
index 436267c..0000000
--- a/cluster/prod/app/matrix/secrets/chat/easybridge/db_user
+++ /dev/null
@@ -1 +0,0 @@
-CONST easybridge
diff --git a/cluster/prod/app/matrix/secrets/chat/easybridge/hs_token b/cluster/prod/app/matrix/secrets/chat/easybridge/hs_token
deleted file mode 100644
index 5fa4e3c..0000000
--- a/cluster/prod/app/matrix/secrets/chat/easybridge/hs_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 32
diff --git a/cluster/prod/app/matrix/secrets/chat/easybridge/web_session_key b/cluster/prod/app/matrix/secrets/chat/easybridge/web_session_key
deleted file mode 100644
index 614bed7..0000000
--- a/cluster/prod/app/matrix/secrets/chat/easybridge/web_session_key
+++ /dev/null
@@ -1,2 +0,0 @@
-CMD openssl rand -hex 32
-
diff --git a/cluster/prod/app/matrix/secrets/chat/fb2mx/as_token b/cluster/prod/app/matrix/secrets/chat/fb2mx/as_token
deleted file mode 100644
index 5fa4e3c..0000000
--- a/cluster/prod/app/matrix/secrets/chat/fb2mx/as_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 32
diff --git a/cluster/prod/app/matrix/secrets/chat/fb2mx/db_url b/cluster/prod/app/matrix/secrets/chat/fb2mx/db_url
deleted file mode 100644
index f06e265..0000000
--- a/cluster/prod/app/matrix/secrets/chat/fb2mx/db_url
+++ /dev/null
@@ -1 +0,0 @@
-USER fb2mx database URL, format: postgres://username:password@hostname/dbname
diff --git a/cluster/prod/app/matrix/secrets/chat/fb2mx/hs_token b/cluster/prod/app/matrix/secrets/chat/fb2mx/hs_token
deleted file mode 100644
index 5fa4e3c..0000000
--- a/cluster/prod/app/matrix/secrets/chat/fb2mx/hs_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 32
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.signing.key b/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.signing.key
deleted file mode 100644
index 099bd18..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.signing.key
+++ /dev/null
@@ -1 +0,0 @@
-USER Synapse homeserver ed25519 signing key
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.crt b/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.crt
deleted file mode 100644
index b696093..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.crt
+++ /dev/null
@@ -1 +0,0 @@
-SSL_CERT synapse im.deuxfleurs.fr
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.dh b/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.dh
deleted file mode 100644
index 0231fed..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.dh
+++ /dev/null
@@ -1 +0,0 @@
-USER_LONG DH parameters for matrix ssl key? how does this work?
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.key b/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.key
deleted file mode 100644
index feee544..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/homeserver.tls.key
+++ /dev/null
@@ -1 +0,0 @@
-SSL_KEY synapse im.deuxfleurs.fr
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/ldap_binddn b/cluster/prod/app/matrix/secrets/chat/synapse/ldap_binddn
deleted file mode 100644
index 2631bef..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/ldap_binddn
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_DN matrix Matrix chat server
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/ldap_bindpw b/cluster/prod/app/matrix/secrets/chat/synapse/ldap_bindpw
deleted file mode 100644
index ba07446..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/ldap_bindpw
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_PASSWORD matrix
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_db b/cluster/prod/app/matrix/secrets/chat/synapse/postgres_db
deleted file mode 100644
index 74eefa7..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_db
+++ /dev/null
@@ -1 +0,0 @@
-CONST synapse
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_pwd b/cluster/prod/app/matrix/secrets/chat/synapse/postgres_pwd
deleted file mode 100644
index ba07446..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_pwd
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_PASSWORD matrix
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_user b/cluster/prod/app/matrix/secrets/chat/synapse/postgres_user
deleted file mode 100644
index b08e86a..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/postgres_user
+++ /dev/null
@@ -1 +0,0 @@
-CONST matrix
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/registration_shared_secret b/cluster/prod/app/matrix/secrets/chat/synapse/registration_shared_secret
deleted file mode 100644
index b82f191..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/registration_shared_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD head -c 32 /dev/urandom | base64
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/s3_access_key b/cluster/prod/app/matrix/secrets/chat/synapse/s3_access_key
deleted file mode 100644
index ab09a8e..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/s3_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER matrix
diff --git a/cluster/prod/app/matrix/secrets/chat/synapse/s3_secret_key b/cluster/prod/app/matrix/secrets/chat/synapse/s3_secret_key
deleted file mode 100644
index ab09a8e..0000000
--- a/cluster/prod/app/matrix/secrets/chat/synapse/s3_secret_key
+++ /dev/null
@@ -1 +0,0 @@
-USER matrix
diff --git a/cluster/prod/app/plume/secrets.toml b/cluster/prod/app/plume/secrets.toml
new file mode 100644
index 0000000..4d68a5c
--- /dev/null
+++ b/cluster/prod/app/plume/secrets.toml
@@ -0,0 +1,10 @@
+[service_user."plume"]
+password_secret = "plume/pgsql_pw"
+
+
+[secrets."plume/secret_key"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 32'
+
+
diff --git a/cluster/prod/app/plume/secrets/plume/backup_aws_access_key_id b/cluster/prod/app/plume/secrets/plume/backup_aws_access_key_id
deleted file mode 100644
index 9235e53..0000000
--- a/cluster/prod/app/plume/secrets/plume/backup_aws_access_key_id
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS access key ID
diff --git a/cluster/prod/app/plume/secrets/plume/backup_aws_secret_access_key b/cluster/prod/app/plume/secrets/plume/backup_aws_secret_access_key
deleted file mode 100644
index f34677e..0000000
--- a/cluster/prod/app/plume/secrets/plume/backup_aws_secret_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Backup AWS secret access key
diff --git a/cluster/prod/app/plume/secrets/plume/backup_restic_password b/cluster/prod/app/plume/secrets/plume/backup_restic_password
deleted file mode 100644
index fbaa5fa..0000000
--- a/cluster/prod/app/plume/secrets/plume/backup_restic_password
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic password to encrypt backups
diff --git a/cluster/prod/app/plume/secrets/plume/backup_restic_repository b/cluster/prod/app/plume/secrets/plume/backup_restic_repository
deleted file mode 100644
index 3f6cb93..0000000
--- a/cluster/prod/app/plume/secrets/plume/backup_restic_repository
+++ /dev/null
@@ -1 +0,0 @@
-USER Restic repository, eg. s3:https://s3.garage.tld
diff --git a/cluster/prod/app/plume/secrets/plume/pgsql_pw b/cluster/prod/app/plume/secrets/plume/pgsql_pw
deleted file mode 100644
index 0f831bb..0000000
--- a/cluster/prod/app/plume/secrets/plume/pgsql_pw
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_PASSWORD plume
diff --git a/cluster/prod/app/plume/secrets/plume/secret_key b/cluster/prod/app/plume/secrets/plume/secret_key
deleted file mode 100644
index 978be54..0000000
--- a/cluster/prod/app/plume/secrets/plume/secret_key
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 32
diff --git a/cluster/prod/app/postgres/secrets.toml b/cluster/prod/app/postgres/secrets.toml
new file mode 100644
index 0000000..537a72d
--- /dev/null
+++ b/cluster/prod/app/postgres/secrets.toml
@@ -0,0 +1,10 @@
+[service_users."replicator"]
+password_secret = "postgres/keeper/pg_repl_pwd"
+username_secret = "postgres/keeper/pg_repl_username"
+
+
+[secrets."postgres/keeper/pg_su_pwd"]
+type = 'command'
+command = 'openssl rand -base64 15'
+description = 'postgres superuser password'
+
diff --git a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_pwd b/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_pwd
deleted file mode 100644
index ae0c229..0000000
--- a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_pwd
+++ /dev/null
@@ -1 +0,0 @@
-SERVICE_PASSWORD replicator
diff --git a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_username b/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_username
deleted file mode 100644
index 58e6e46..0000000
--- a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_repl_username
+++ /dev/null
@@ -1 +0,0 @@
-CONST replicator
diff --git a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_su_pwd b/cluster/prod/app/postgres/secrets/postgres/keeper/pg_su_pwd
deleted file mode 100644
index 907e2b8..0000000
--- a/cluster/prod/app/postgres/secrets/postgres/keeper/pg_su_pwd
+++ /dev/null
@@ -1 +0,0 @@
-USER postgres superuser password
diff --git a/cluster/prod/app/secretmgr b/cluster/prod/app/secretmgr
deleted file mode 120000
index 6aff4ad..0000000
--- a/cluster/prod/app/secretmgr
+++ /dev/null
@@ -1 +0,0 @@
-../../../secretmgr/secretmgr \ No newline at end of file
diff --git a/cluster/prod/app/telemetry/secrets.toml b/cluster/prod/app/telemetry/secrets.toml
new file mode 100644
index 0000000..763a14c
--- /dev/null
+++ b/cluster/prod/app/telemetry/secrets.toml
@@ -0,0 +1,16 @@
+[secrets."telemetry/grafana/admin_password"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 12'
+
+
+# S3 database storage access
+
+[secrets."telemetry/grafana/s3_access_key"]
+type = 'user'
+description = 'S3 access key for grafana db'
+
+[secrets."telemetry/grafana/s3_secret_key"]
+type = 'user'
+description = 'S3 secret key for grafana db'
+
diff --git a/cluster/prod/app/telemetry/secrets/telemetry/grafana/admin_password b/cluster/prod/app/telemetry/secrets/telemetry/grafana/admin_password
deleted file mode 100644
index 2f36e97..0000000
--- a/cluster/prod/app/telemetry/secrets/telemetry/grafana/admin_password
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 12
diff --git a/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_access_key b/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_access_key
deleted file mode 100644
index c7e41a4..0000000
--- a/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 access key for grafana db
diff --git a/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_secret_key b/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_secret_key
deleted file mode 100644
index 051f41a..0000000
--- a/cluster/prod/app/telemetry/secrets/telemetry/grafana/s3_secret_key
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 secret key for grafana db
diff --git a/cluster/prod/secretmgr.toml b/cluster/prod/secretmgr.toml
new file mode 100644
index 0000000..ea540e5
--- /dev/null
+++ b/cluster/prod/secretmgr.toml
@@ -0,0 +1,19 @@
+[ldap]
+server = "ldap://localhost:1389"
+service_dn_suffix = "ou=services,ou=users,dc=deuxfleurs,dc=fr"
+admin_dn = "cn=admin,dc=deuxfleurs,dc=org"
+
+
+[user_values]
+"directory/ldap_base_dn" = "dc=deuxfleurs,dc=fr"
+"directory/guichet/web_hostname" = "guichet.deuxfleurs.fr"
+"directory/guichet/mail_domain" = "deuxfleurs.fr"
+"directory/guichet/s3_bucket" = "bottin-pictures"
+"directory/guichet/s3_endpoint" = "garage.deuxfleurs.fr"
+"directory/guichet/s3_region" = "garage"
+# TODO: fix smtp server, use deuxfleurs' smtp
+
+"drone-ci/s3_db_bucket" = "drone-db"
+"drone-ci/s3_storage_bucket" = "drone-storage"
+
+"chat/synapse/postgres_db" = "synapse2"