New secretmgr

33 files changed, 153 insertions, 25 deletions

diff --git a/cluster/staging/app/convertsecrets b/cluster/staging/app/convertsecrets
new file mode 120000
index 0000000..3e30b0f
--- /dev/null
+++ b/cluster/staging/app/convertsecrets
@@ -0,0 +1 @@
+../../../secretmgr/convertsecrets
\ No newline at end of file
diff --git a/cluster/staging/app/core/secrets.toml b/cluster/staging/app/core/secrets.toml
new file mode 100644
index 0000000..8da8561
--- /dev/null
+++ b/cluster/staging/app/core/secrets.toml
@@ -0,0 +1,4 @@
+[secrets."d53/gandi_api_key"]
+type = 'user'
+description = 'Gandi API key'
+
diff --git a/cluster/staging/app/core/secrets/d53/gandi_api_key b/cluster/staging/app/core/secrets/d53/gandi_api_key
deleted file mode 100644
index b3936c9..0000000
--- a/cluster/staging/app/core/secrets/d53/gandi_api_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Gandi API key
diff --git a/cluster/staging/app/directory/secrets.toml b/cluster/staging/app/directory/secrets.toml
new file mode 100644
index 0000000..0ebd77f
--- /dev/null
+++ b/cluster/staging/app/directory/secrets.toml
@@ -0,0 +1,48 @@
+[secrets."directory/ldap_base_dn"]
+type = 'user'
+description = 'LDAP base DN for everything (e.g. dc=example,dc=com)'
+
+[secrets."directory/guichet/smtp_user"]
+type = 'user'
+description = 'SMTP username'
+
+[secrets."directory/guichet/s3_access_key"]
+type = 'user'
+description = 'Garage access key for Guichet profile pictures'
+
+[secrets."directory/guichet/s3_endpoint"]
+type = 'user'
+description = 'S3 endpoint URL'
+
+[secrets."directory/guichet/s3_region"]
+type = 'user'
+description = 'S3 region'
+
+[secrets."directory/guichet/smtp_pass"]
+type = 'user'
+description = 'SMTP password'
+
+[secrets."directory/guichet/web_hostname"]
+type = 'user'
+description = 'Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)'
+
+[secrets."directory/guichet/s3_bucket"]
+type = 'user'
+description = 'S3 bucket in which to store data files (such as profile pictures)'
+
+[secrets."directory/guichet/smtp_server"]
+type = 'user'
+description = 'SMTP server address (hostname:port)'
+
+[secrets."directory/guichet/s3_secret_key"]
+type = 'user'
+description = 'Garage secret key for Guichet profile pictures'
+
+[secrets."directory/guichet/mail_from"]
+type = 'user'
+description = 'E-mail address from which to send welcome emails to new users'
+
+[secrets."directory/guichet/mail_domain"]
+type = 'user'
+description = 'E-mail domain for new users (e.g. example.com)'
+
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/mail_domain b/cluster/staging/app/directory/secrets/directory/guichet/mail_domain
deleted file mode 100644
index 5db1ba3..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/mail_domain
+++ /dev/null
@@ -1 +0,0 @@
-USER E-mail domain for new users (e.g. example.com)
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/mail_from b/cluster/staging/app/directory/secrets/directory/guichet/mail_from
deleted file mode 100644
index 9075cbf..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/mail_from
+++ /dev/null
@@ -1 +0,0 @@
-USER E-mail address from which to send welcome emails to new users
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/s3_access_key b/cluster/staging/app/directory/secrets/directory/guichet/s3_access_key
deleted file mode 100644
index e5b37ff..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/s3_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Garage access key for Guichet profile pictures
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/s3_bucket b/cluster/staging/app/directory/secrets/directory/guichet/s3_bucket
deleted file mode 100644
index cb059cf..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/s3_bucket
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 bucket in which to store data files (such as profile pictures)
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/s3_endpoint b/cluster/staging/app/directory/secrets/directory/guichet/s3_endpoint
deleted file mode 100644
index b414269..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/s3_endpoint
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 endpoint URL
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/s3_region b/cluster/staging/app/directory/secrets/directory/guichet/s3_region
deleted file mode 100644
index ef16924..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/s3_region
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 region
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/s3_secret_key b/cluster/staging/app/directory/secrets/directory/guichet/s3_secret_key
deleted file mode 100644
index f3e7f0f..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/s3_secret_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Garage secret key for Guichet profile pictures
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/smtp_pass b/cluster/staging/app/directory/secrets/directory/guichet/smtp_pass
deleted file mode 100644
index fc9d1e3..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/smtp_pass
+++ /dev/null
@@ -1 +0,0 @@
-USER SMTP password
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/smtp_server b/cluster/staging/app/directory/secrets/directory/guichet/smtp_server
deleted file mode 100644
index c453935..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/smtp_server
+++ /dev/null
@@ -1 +0,0 @@
-USER SMTP server address (hostname:port)
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/smtp_user b/cluster/staging/app/directory/secrets/directory/guichet/smtp_user
deleted file mode 100644
index c9c8bd0..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/smtp_user
+++ /dev/null
@@ -1 +0,0 @@
-USER SMTP username
diff --git a/cluster/staging/app/directory/secrets/directory/guichet/web_hostname b/cluster/staging/app/directory/secrets/directory/guichet/web_hostname
deleted file mode 100644
index afe2512..0000000
--- a/cluster/staging/app/directory/secrets/directory/guichet/web_hostname
+++ /dev/null
@@ -1 +0,0 @@
-USER Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)
diff --git a/cluster/staging/app/directory/secrets/directory/ldap_base_dn b/cluster/staging/app/directory/secrets/directory/ldap_base_dn
deleted file mode 100644
index ea5c7ae..0000000
--- a/cluster/staging/app/directory/secrets/directory/ldap_base_dn
+++ /dev/null
@@ -1 +0,0 @@
-USER LDAP base DN for everything (e.g. dc=example,dc=com)
diff --git a/cluster/staging/app/dummy/secrets.toml b/cluster/staging/app/dummy/secrets.toml
new file mode 100644
index 0000000..378ec46
--- /dev/null
+++ b/cluster/staging/app/dummy/secrets.toml
@@ -0,0 +1,36 @@
+[service_users."dummy"]
+description = 'Service user for dummy database access'
+username_secret = "dummy/db_username"
+password_secret = "dummy/db_password"
+rotate_password = true
+
+[secrets."dummy/s3_access_key"]
+type = 'user'
+description = 'S3 access key ID for database storage'
+
+[secrets."dummy/s3_secret_key"]
+description = 'S3 secret key for database storage'
+type = 'user'
+
+[secrets."dummy/public_domain"]
+description = 'Publicly accessible domain for dummy resource'
+type = 'user'
+
+[secrets."dummy/form_secret"]
+description = 'Form secret for dummy web pages'
+type = 'command'
+command = 'openssl rand -base64 42'
+rotate = true
+
+[secrets."dummy/signing_key"]
+description = 'Key to use to sign dummy service data'
+type = 'command'
+command = 'openssl rand -base64 42'
+
+[secrets."dummy/rpc_secret"]
+description = 'RPC secret for communication between dummy nodes'
+type = 'command'
+command = 'openssl rand -base64 42'
+rotate = true
+
+
diff --git a/cluster/staging/app/garage/secrets.toml b/cluster/staging/app/garage/secrets.toml
new file mode 100644
index 0000000..26ecd5e
--- /dev/null
+++ b/cluster/staging/app/garage/secrets.toml
@@ -0,0 +1,15 @@
+[secrets."garage-staging/admin_token"]
+type = 'command'
+rotate = true
+command = 'openssl rand -hex 32'
+
+[secrets."garage-staging/rpc_secret"]
+type = 'command'
+rotate = true
+command = 'openssl rand -hex 32'
+
+[secrets."garage-staging/metrics_token"]
+type = 'command'
+rotate = true
+command = 'openssl rand -hex 32'
+
diff --git a/cluster/staging/app/garage/secrets/garage-staging/admin_token b/cluster/staging/app/garage/secrets/garage-staging/admin_token
deleted file mode 100644
index 5fa4e3c..0000000
--- a/cluster/staging/app/garage/secrets/garage-staging/admin_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 32
diff --git a/cluster/staging/app/garage/secrets/garage-staging/metrics_token b/cluster/staging/app/garage/secrets/garage-staging/metrics_token
deleted file mode 100644
index 5fa4e3c..0000000
--- a/cluster/staging/app/garage/secrets/garage-staging/metrics_token
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 32
diff --git a/cluster/staging/app/garage/secrets/garage-staging/rpc_secret b/cluster/staging/app/garage/secrets/garage-staging/rpc_secret
deleted file mode 100644
index 5fa4e3c..0000000
--- a/cluster/staging/app/garage/secrets/garage-staging/rpc_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 32
diff --git a/cluster/staging/app/im/secrets.toml b/cluster/staging/app/im/secrets.toml
new file mode 100644
index 0000000..7acad55
--- /dev/null
+++ b/cluster/staging/app/im/secrets.toml
@@ -0,0 +1,27 @@
+[secrets."synapse/s3_access_key"]
+type = 'user'
+description = 'S3 access key ID for database storage'
+
+[secrets."synapse/form_secret"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 42'
+
+[secrets."synapse/signing_key"]
+type = 'user'
+description = 'Signing key for messages'
+
+[secrets."synapse/macaroon_secret_key"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 42'
+
+[secrets."synapse/registration_shared_secret"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 42'
+
+[secrets."synapse/s3_secret_key"]
+type = 'user'
+description = 'S3 secret key for database storage'
+
diff --git a/cluster/staging/app/im/secrets/synapse/form_secret b/cluster/staging/app/im/secrets/synapse/form_secret
deleted file mode 100644
index f601137..0000000
--- a/cluster/staging/app/im/secrets/synapse/form_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 42
diff --git a/cluster/staging/app/im/secrets/synapse/macaroon_secret_key b/cluster/staging/app/im/secrets/synapse/macaroon_secret_key
deleted file mode 100644
index f601137..0000000
--- a/cluster/staging/app/im/secrets/synapse/macaroon_secret_key
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 42
diff --git a/cluster/staging/app/im/secrets/synapse/registration_shared_secret b/cluster/staging/app/im/secrets/synapse/registration_shared_secret
deleted file mode 100644
index f601137..0000000
--- a/cluster/staging/app/im/secrets/synapse/registration_shared_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 42
diff --git a/cluster/staging/app/im/secrets/synapse/s3_access_key b/cluster/staging/app/im/secrets/synapse/s3_access_key
deleted file mode 100644
index 692dc34..0000000
--- a/cluster/staging/app/im/secrets/synapse/s3_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 access key ID for database storage
diff --git a/cluster/staging/app/im/secrets/synapse/s3_secret_key b/cluster/staging/app/im/secrets/synapse/s3_secret_key
deleted file mode 100644
index 8bef13c..0000000
--- a/cluster/staging/app/im/secrets/synapse/s3_secret_key
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 secret key for database storage
diff --git a/cluster/staging/app/im/secrets/synapse/signing_key b/cluster/staging/app/im/secrets/synapse/signing_key
deleted file mode 100644
index 6821360..0000000
--- a/cluster/staging/app/im/secrets/synapse/signing_key
+++ /dev/null
@@ -1 +0,0 @@
-USER Signing key for messages
diff --git a/cluster/staging/app/telemetry/secrets.toml b/cluster/staging/app/telemetry/secrets.toml
new file mode 100644
index 0000000..56df97d
--- /dev/null
+++ b/cluster/staging/app/telemetry/secrets.toml
@@ -0,0 +1,13 @@
+[secrets."telemetry/grafana/s3_access_key"]
+type = 'user'
+description = 'S3 access key for grafana db'
+
+[secrets."telemetry/grafana/admin_password"]
+type = 'command'
+rotate = true
+command = 'openssl rand -base64 12'
+
+[secrets."telemetry/grafana/s3_secret_key"]
+type = 'user'
+description = 'S3 secret key for grafana db'
+
diff --git a/cluster/staging/app/telemetry/secrets/telemetry/grafana/admin_password b/cluster/staging/app/telemetry/secrets/telemetry/grafana/admin_password
deleted file mode 100644
index 2f36e97..0000000
--- a/cluster/staging/app/telemetry/secrets/telemetry/grafana/admin_password
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -base64 12
diff --git a/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_access_key b/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_access_key
deleted file mode 100644
index c7e41a4..0000000
--- a/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_access_key
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 access key for grafana db
diff --git a/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_secret_key b/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_secret_key
deleted file mode 100644
index 051f41a..0000000
--- a/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_secret_key
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 secret key for grafana db
diff --git a/cluster/staging/secretmgr.toml b/cluster/staging/secretmgr.toml
new file mode 100644
index 0000000..cbaa6f6
--- /dev/null
+++ b/cluster/staging/secretmgr.toml
@@ -0,0 +1,9 @@
+[ldap]
+server = "ldap://localhost:1389"
+service_dn_suffix = "ou=services,ou=users,dc=staging,dc=deuxfleurs,dc=org"
+admin_dn = "cn=admin,dc=staging,dc=deuxfleurs,dc=org"
+admin_password_secret = "directory/admin_password"
+
+[constants]
+"dummy/public_domain" = "dummy.staging.deuxfleurs.org"
+"dummy/test_constant" = "test value"