aboutsummaryrefslogtreecommitdiff
path: root/cluster/staging
diff options
context:
space:
mode:
authorAlex <alex@adnab.me>2023-01-01 18:47:34 +0000
committerAlex <alex@adnab.me>2023-01-01 18:47:34 +0000
commit3847c081817d93e75ec9ef8d53d2961e13df74c3 (patch)
treebd820bfda887f355fe1e56f8a1418c9353c59eb2 /cluster/staging
parentad6db2f1c502898e92fe377510dcf58b2d5ce6c9 (diff)
parent0d8c6a2d45c7b6bbb86f2d4268423578f0995894 (diff)
downloadnixcfg-3847c081817d93e75ec9ef8d53d2961e13df74c3.tar.gz
nixcfg-3847c081817d93e75ec9ef8d53d2961e13df74c3.zip
Merge pull request 'updated version of secretmgr' (#5) from new-secretmgr into main
Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/nixcfg/pulls/5
Diffstat (limited to 'cluster/staging')
l---------cluster/staging/app/convertsecrets1
-rw-r--r--cluster/staging/app/core/secrets.toml4
-rw-r--r--cluster/staging/app/core/secrets/d53/gandi_api_key1
-rw-r--r--cluster/staging/app/directory/secrets.toml51
-rw-r--r--cluster/staging/app/directory/secrets/directory/guichet/mail_domain1
-rw-r--r--cluster/staging/app/directory/secrets/directory/guichet/mail_from1
-rw-r--r--cluster/staging/app/directory/secrets/directory/guichet/s3_access_key1
-rw-r--r--cluster/staging/app/directory/secrets/directory/guichet/s3_bucket1
-rw-r--r--cluster/staging/app/directory/secrets/directory/guichet/s3_endpoint1
-rw-r--r--cluster/staging/app/directory/secrets/directory/guichet/s3_region1
-rw-r--r--cluster/staging/app/directory/secrets/directory/guichet/s3_secret_key1
-rw-r--r--cluster/staging/app/directory/secrets/directory/guichet/smtp_pass1
-rw-r--r--cluster/staging/app/directory/secrets/directory/guichet/smtp_server1
-rw-r--r--cluster/staging/app/directory/secrets/directory/guichet/smtp_user1
-rw-r--r--cluster/staging/app/directory/secrets/directory/guichet/web_hostname1
-rw-r--r--cluster/staging/app/directory/secrets/directory/ldap_base_dn1
-rw-r--r--cluster/staging/app/dummy/secrets.toml36
-rw-r--r--cluster/staging/app/garage/secrets.toml15
-rw-r--r--cluster/staging/app/garage/secrets/garage-staging/admin_token1
-rw-r--r--cluster/staging/app/garage/secrets/garage-staging/metrics_token1
-rw-r--r--cluster/staging/app/garage/secrets/garage-staging/rpc_secret1
-rw-r--r--cluster/staging/app/im/secrets.toml27
-rw-r--r--cluster/staging/app/im/secrets/synapse/form_secret1
-rw-r--r--cluster/staging/app/im/secrets/synapse/macaroon_secret_key1
-rw-r--r--cluster/staging/app/im/secrets/synapse/registration_shared_secret1
-rw-r--r--cluster/staging/app/im/secrets/synapse/s3_access_key1
-rw-r--r--cluster/staging/app/im/secrets/synapse/s3_secret_key1
-rw-r--r--cluster/staging/app/im/secrets/synapse/signing_key1
l---------cluster/staging/app/secretmgr1
-rw-r--r--cluster/staging/app/telemetry/secrets.toml13
-rw-r--r--cluster/staging/app/telemetry/secrets/telemetry/grafana/admin_password1
-rw-r--r--cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_access_key1
-rw-r--r--cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_secret_key1
-rw-r--r--cluster/staging/secretmgr.toml19
34 files changed, 166 insertions, 26 deletions
diff --git a/cluster/staging/app/convertsecrets b/cluster/staging/app/convertsecrets
new file mode 120000
index 0000000..3e30b0f
--- /dev/null
+++ b/cluster/staging/app/convertsecrets
@@ -0,0 +1 @@
+../../../secretmgr/convertsecrets \ No newline at end of file
diff --git a/cluster/staging/app/core/secrets.toml b/cluster/staging/app/core/secrets.toml
new file mode 100644
index 0000000..8da8561
--- /dev/null
+++ b/cluster/staging/app/core/secrets.toml
@@ -0,0 +1,4 @@
+[secrets."d53/gandi_api_key"]
+type = 'user'
+description = 'Gandi API key'
+
diff --git a/cluster/staging/app/core/secrets/d53/gandi_api_key b/cluster/staging/app/core/secrets/d53/gandi_api_key
deleted file mode 100644
index b3936c9..0000000
--- a/cluster/staging/app/core/secrets/d53/gandi_api_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Gandi API key
diff --git a/cluster/staging/app/directory/secrets.toml b/cluster/staging/app/directory/secrets.toml
new file mode 100644
index 0000000..edde6cc
--- /dev/null
+++ b/cluster/staging/app/directory/secrets.toml
@@ -0,0 +1,51 @@
+[secrets."directory/ldap_base_dn"]
+type = 'user'
+description = 'LDAP base DN for everything'
+example = 'dc=example,dc=com'
+
+[secrets."directory/guichet/smtp_user"]
+type = 'user'
+description = 'SMTP username'
+
+[secrets."directory/guichet/s3_access_key"]
+type = 'user'
+description = 'Garage access key for Guichet profile pictures'
+
+[secrets."directory/guichet/s3_endpoint"]
+type = 'user'
+description = 'S3 endpoint URL'
+
+[secrets."directory/guichet/s3_region"]
+type = 'user'
+description = 'S3 region'
+
+[secrets."directory/guichet/smtp_pass"]
+type = 'user'
+description = 'SMTP password'
+
+[secrets."directory/guichet/web_hostname"]
+type = 'user'
+description = 'Public hostname from which Guichet is accessible via HTTP'
+example = 'guichet.example.com'
+
+[secrets."directory/guichet/s3_bucket"]
+type = 'user'
+description = 'S3 bucket in which to store data files (such as profile pictures)'
+
+[secrets."directory/guichet/smtp_server"]
+type = 'user'
+description = 'SMTP server address (hostname:port)'
+
+[secrets."directory/guichet/s3_secret_key"]
+type = 'user'
+description = 'Garage secret key for Guichet profile pictures'
+
+[secrets."directory/guichet/mail_from"]
+type = 'user'
+description = 'E-mail address from which to send welcome emails to new users'
+
+[secrets."directory/guichet/mail_domain"]
+type = 'user'
+description = 'E-mail domain for new users'
+example = 'example.com'
+
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/mail_domain b/cluster/staging/app/directory/secrets/directory/guichet/mail_domain
deleted file mode 100644
index 5db1ba3..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/mail_domain
+++ /dev/null
@@ -1 +0,0 @@
-USER E-mail domain for new users (e.g. example.com)
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/mail_from b/cluster/staging/app/directory/secrets/directory/guichet/mail_from
deleted file mode 100644
index 9075cbf..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/mail_from
+++ /dev/null
@@ -1 +0,0 @@
-USER E-mail address from which to send welcome emails to new users
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/s3_access_key b/cluster/staging/app/directory/secrets/directory/guichet/s3_access_key
deleted file mode 100644
index e5b37ff..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/s3_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Garage access key for Guichet profile pictures
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/s3_bucket b/cluster/staging/app/directory/secrets/directory/guichet/s3_bucket
deleted file mode 100644
index cb059cf..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/s3_bucket
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 bucket in which to store data files (such as profile pictures)
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/s3_endpoint b/cluster/staging/app/directory/secrets/directory/guichet/s3_endpoint
deleted file mode 100644
index b414269..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/s3_endpoint
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 endpoint URL
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/s3_region b/cluster/staging/app/directory/secrets/directory/guichet/s3_region
deleted file mode 100644
index ef16924..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/s3_region
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 region
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/s3_secret_key b/cluster/staging/app/directory/secrets/directory/guichet/s3_secret_key
deleted file mode 100644
index f3e7f0f..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/s3_secret_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Garage secret key for Guichet profile pictures
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/smtp_pass b/cluster/staging/app/directory/secrets/directory/guichet/smtp_pass
deleted file mode 100644
index fc9d1e3..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/smtp_pass
+++ /dev/null
@@ -1 +0,0 @@
-USER SMTP password
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/smtp_server b/cluster/staging/app/directory/secrets/directory/guichet/smtp_server
deleted file mode 100644
index c453935..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/smtp_server
+++ /dev/null
@@ -1 +0,0 @@
-USER SMTP server address (hostname:port)
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/smtp_user b/cluster/staging/app/directory/secrets/directory/guichet/smtp_user
deleted file mode 100644
index c9c8bd0..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/smtp_user
+++ /dev/null
@@ -1 +0,0 @@
-USER SMTP username
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/web_hostname b/cluster/staging/app/directory/secrets/directory/guichet/web_hostname
deleted file mode 100644
index afe2512..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/web_hostname
+++ /dev/null
@@ -1 +0,0 @@
-USER Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)
diff --git a/cluster/staging/app/directory/secrets/directory/ldap_base_dn b/cluster/staging/app/directory/secrets/directory/ldap_base_dn
deleted file mode 100644
index ea5c7ae..0000000
--- a/cluster/staging/app/directory/secrets/directory/ldap_base_dn
+++ /dev/null
@@ -1 +0,0 @@
-USER LDAP base DN for everything (e.g. dc=example,dc=com)
diff --git a/cluster/staging/app/dummy/secrets.toml b/cluster/staging/app/dummy/secrets.toml
new file mode 100644
index 0000000..378ec46
--- /dev/null
+++ b/cluster/staging/app/dummy/secrets.toml
@@ -0,0 +1,36 @@
+[service_users."dummy"]
+description = 'Service user for dummy database access'
+username_secret = "dummy/db_username"
+password_secret = "dummy/db_password"
+rotate_password = true
+
+[secrets."dummy/s3_access_key"]
+type = 'user'
+description = 'S3 access key ID for database storage'
+
+[secrets."dummy/s3_secret_key"]
+description = 'S3 secret key for database storage'
+type = 'user'
+
+[secrets."dummy/public_domain"]
+description = 'Publicly accessible domain for dummy resource'
+type = 'user'
+
+[secrets."dummy/form_secret"]
+description = 'Form secret for dummy web pages'
+type = 'command'
+command = 'openssl rand -base64 42'
+rotate = true
+
+[secrets."dummy/signing_key"]
+description = 'Key to use to sign dummy service data'
+type = 'command'
+command = 'openssl rand -base64 42'
+
+[secrets."dummy/rpc_secret"]
+description = 'RPC secret for communication between dummy nodes'
+type = 'command'
+command = 'openssl rand -base64 42'
+rotate = true
+
+
diff --git a/cluster/staging/app/garage/secrets.toml b/cluster/staging/app/garage/secrets.toml
new file mode 100644
index 0000000..26ecd5e
--- /dev/null
+++ b/cluster/staging/app/garage/secrets.toml
@@ -0,0 +1,15 @@
+[secrets."garage-staging/admin_token"]
+type = 'command'
+rotate = true
+command = 'openssl rand -hex 32'
+
+[secrets."garage-staging/rpc_secret"]
+type = 'command'
+rotate = true
+command = 'openssl rand -hex 32'
+
+[secrets."garage-staging/metrics_token"]
+type = 'command'
+rotate = true
+command = 'openssl rand -hex 32'
+
diff --git a/cluster/staging/app/garage/secrets/garage-staging/admin_token b/cluster/staging/app/garage/secrets/garage-staging/admin_token
deleted file mode 100644
index 5fa4e3c..0000000
--- a/cluster/staging/app/garage/secrets/garage-staging/admin_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 32
diff --git a/cluster/staging/app/garage/secrets/garage-staging/metrics_token b/cluster/staging/app/garage/secrets/garage-staging/metrics_token
deleted file mode 100644
index 5fa4e3c..0000000
--- a/cluster/staging/app/garage/secrets/garage-staging/metrics_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 32
diff --git a/cluster/staging/app/garage/secrets/garage-staging/rpc_secret b/cluster/staging/app/garage/secrets/garage-staging/rpc_secret
deleted file mode 100644
index 5fa4e3c..0000000
--- a/cluster/staging/app/garage/secrets/garage-staging/rpc_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 32
diff --git a/cluster/staging/app/im/secrets.toml b/cluster/staging/app/im/secrets.toml
new file mode 100644
index 0000000..7acad55
--- /dev/null
+++ b/cluster/staging/app/im/secrets.toml
@@ -0,0 +1,27 @@
+[secrets."synapse/s3_access_key"]
+type = 'user'
+description = 'S3 access key ID for database storage'
+
+[secrets."synapse/form_secret"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 42'
+
+[secrets."synapse/signing_key"]
+type = 'user'
+description = 'Signing key for messages'
+
+[secrets."synapse/macaroon_secret_key"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 42'
+
+[secrets."synapse/registration_shared_secret"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 42'
+
+[secrets."synapse/s3_secret_key"]
+type = 'user'
+description = 'S3 secret key for database storage'
+
diff --git a/cluster/staging/app/im/secrets/synapse/form_secret b/cluster/staging/app/im/secrets/synapse/form_secret
deleted file mode 100644
index f601137..0000000
--- a/cluster/staging/app/im/secrets/synapse/form_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 42
diff --git a/cluster/staging/app/im/secrets/synapse/macaroon_secret_key b/cluster/staging/app/im/secrets/synapse/macaroon_secret_key
deleted file mode 100644
index f601137..0000000
--- a/cluster/staging/app/im/secrets/synapse/macaroon_secret_key
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 42
diff --git a/cluster/staging/app/im/secrets/synapse/registration_shared_secret b/cluster/staging/app/im/secrets/synapse/registration_shared_secret
deleted file mode 100644
index f601137..0000000
--- a/cluster/staging/app/im/secrets/synapse/registration_shared_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 42
diff --git a/cluster/staging/app/im/secrets/synapse/s3_access_key b/cluster/staging/app/im/secrets/synapse/s3_access_key
deleted file mode 100644
index 692dc34..0000000
--- a/cluster/staging/app/im/secrets/synapse/s3_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 access key ID for database storage
diff --git a/cluster/staging/app/im/secrets/synapse/s3_secret_key b/cluster/staging/app/im/secrets/synapse/s3_secret_key
deleted file mode 100644
index 8bef13c..0000000
--- a/cluster/staging/app/im/secrets/synapse/s3_secret_key
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 secret key for database storage
diff --git a/cluster/staging/app/im/secrets/synapse/signing_key b/cluster/staging/app/im/secrets/synapse/signing_key
deleted file mode 100644
index 6821360..0000000
--- a/cluster/staging/app/im/secrets/synapse/signing_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Signing key for messages
diff --git a/cluster/staging/app/secretmgr b/cluster/staging/app/secretmgr
deleted file mode 120000
index 6aff4ad..0000000
--- a/cluster/staging/app/secretmgr
+++ /dev/null
@@ -1 +0,0 @@
-../../../secretmgr/secretmgr \ No newline at end of file
diff --git a/cluster/staging/app/telemetry/secrets.toml b/cluster/staging/app/telemetry/secrets.toml
new file mode 100644
index 0000000..56df97d
--- /dev/null
+++ b/cluster/staging/app/telemetry/secrets.toml
@@ -0,0 +1,13 @@
+[secrets."telemetry/grafana/s3_access_key"]
+type = 'user'
+description = 'S3 access key for grafana db'
+
+[secrets."telemetry/grafana/admin_password"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 12'
+
+[secrets."telemetry/grafana/s3_secret_key"]
+type = 'user'
+description = 'S3 secret key for grafana db'
+
diff --git a/cluster/staging/app/telemetry/secrets/telemetry/grafana/admin_password b/cluster/staging/app/telemetry/secrets/telemetry/grafana/admin_password
deleted file mode 100644
index 2f36e97..0000000
--- a/cluster/staging/app/telemetry/secrets/telemetry/grafana/admin_password
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 12
diff --git a/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_access_key b/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_access_key
deleted file mode 100644
index c7e41a4..0000000
--- a/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 access key for grafana db
diff --git a/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_secret_key b/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_secret_key
deleted file mode 100644
index 051f41a..0000000
--- a/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_secret_key
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 secret key for grafana db
diff --git a/cluster/staging/secretmgr.toml b/cluster/staging/secretmgr.toml
new file mode 100644
index 0000000..9dc0aa5
--- /dev/null
+++ b/cluster/staging/secretmgr.toml
@@ -0,0 +1,19 @@
+[ldap]
+server = "ldap://localhost:1389"
+service_dn_suffix = "ou=services,ou=users,dc=staging,dc=deuxfleurs,dc=org"
+admin_dn = "cn=admin,dc=staging,dc=deuxfleurs,dc=org"
+admin_password_secret = "directory/admin_password"
+
+[user_values]
+"directory/ldap_base_dn" = "dc=staging,dc=deuxfleurs,dc=org"
+"directory/guichet/mail_domain" = "staging.deuxfleurs.org"
+"directory/guichet/mail_from" = "contact@deuxfleurs.org"
+"directory/guichet/s3_bucket" = "bottin-pictures"
+"directory/guichet/s3_endpoint" = "garage.staging.deuxfleurs.org"
+"directory/guichet/s3_region" = "garage-staging"
+"directory/guichet/smtp_server" = "mail.gandi.net:25"
+"directory/guichet/smtp_user" = "contact@deuxfleurs.org"
+"directory/guichet/web_hostname" = "guichet.staging.deuxfleurs.org"
+
+"dummy/public_domain" = "dummy.staging.deuxfleurs.org"
+"dummy/test_constant" = "test value"
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-20 20:25:50 +0000