From 87bb031ed00b7993a29d74aee2e89875c5444caf Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sun, 25 Dec 2022 22:31:18 +0100 Subject: Migrate prod cluster secrets to new format --- cluster/prod/app/backup/secrets.toml | 90 ++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 cluster/prod/app/backup/secrets.toml (limited to 'cluster/prod/app/backup/secrets.toml') diff --git a/cluster/prod/app/backup/secrets.toml b/cluster/prod/app/backup/secrets.toml new file mode 100644 index 0000000..5d2b851 --- /dev/null +++ b/cluster/prod/app/backup/secrets.toml @@ -0,0 +1,90 @@ +# Cryptpad backup + +[secrets."backup/cryptpad/backup_restic_password"] +type = 'user' +description = 'Restic password to encrypt backups' + +[secrets."backup/cryptpad/backup_aws_secret_access_key"] +type = 'user' +description = 'Backup AWS secret access key' + +[secrets."backup/cryptpad/backup_restic_repository"] +type = 'user' +description = 'Restic repository' +example = 's3:https://s3.garage.tld' + +[secrets."backup/cryptpad/backup_aws_access_key_id"] +type = 'user' +description = 'Backup AWS access key ID' + + +# Consul backup + +[secrets."backup/consul/backup_restic_password"] +type = 'user' +description = 'Restic password to encrypt backups' + +[secrets."backup/consul/backup_aws_secret_access_key"] +type = 'user' +description = 'Backup AWS secret access key' + +[secrets."backup/consul/backup_restic_repository"] +type = 'user' +description = 'Restic repository' +example = 's3:https://s3.garage.tld' + +[secrets."backup/consul/backup_aws_access_key_id"] +type = 'user' +description = 'Backup AWS access key ID' + + +# Postgresql backup + +[secrets."backup/psql/aws_secret_access_key"] +type = 'user' +description = 'Minio secret key' + +[secrets."backup/psql/aws_access_key_id"] +type = 'user' +description = 'Minio access key' + +[secrets."backup/psql/crypt_public_key"] +type = 'user' +description = 'A public key to encypt backups with age' + +[secrets."backup/psql/crypt_private_key"] +type = 'user' +description = 'a private key to decript backups from age' + + +# SSH target config (do we still use this?) + +[secrets."backup/target_ssh_host"] +type = 'user' +description = 'Hostname of the backup target host' + +[secrets."backup/target_ssh_port"] +type = 'user' +description = 'SSH port number to connect to the target host' + +[secrets."backup/target_ssh_dir"] +type = 'user' +description = 'Directory where to store backups on target host' + +[secrets."backup/target_ssh_user"] +type = 'user' +description = 'SSH username to log in as on the target host' + +[secrets."backup/target_ssh_fingerprint"] +type = 'user' +description = 'SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)' + +[secrets."backup/id_ed25519"] +type = 'user' +multiline = true +description = 'Private ed25519 key of the container doing the backup' + +[secrets."backup/id_ed25519.pub"] +type = 'user' +description = 'Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)' + -- cgit v1.2.3 From 8cee3b0043eda68d982e5359a0d009c83cbb85c4 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sun, 25 Dec 2022 22:45:05 +0100 Subject: Update prod secret files --- cluster/prod/app/backup/secrets.toml | 52 +++++++++++++++++++----------------- 1 file changed, 27 insertions(+), 25 deletions(-) (limited to 'cluster/prod/app/backup/secrets.toml') diff --git a/cluster/prod/app/backup/secrets.toml b/cluster/prod/app/backup/secrets.toml index 5d2b851..91794ae 100644 --- a/cluster/prod/app/backup/secrets.toml +++ b/cluster/prod/app/backup/secrets.toml @@ -40,51 +40,53 @@ description = 'Backup AWS access key ID' # Postgresql backup -[secrets."backup/psql/aws_secret_access_key"] -type = 'user' -description = 'Minio secret key' - -[secrets."backup/psql/aws_access_key_id"] +[secrets."postgres/backup/aws_access_key_id"] type = 'user' description = 'Minio access key' -[secrets."backup/psql/crypt_public_key"] +[secrets."postgres/backup/aws_secret_access_key"] type = 'user' -description = 'A public key to encypt backups with age' +description = 'Minio secret key' -[secrets."backup/psql/crypt_private_key"] +[secrets."postgres/backup/crypt_public_key"] type = 'user' -description = 'a private key to decript backups from age' +description = 'A public key to encypt backups with age' -# SSH target config (do we still use this?) +# Plume backup -[secrets."backup/target_ssh_host"] +[secrets."plume/backup_restic_repository"] type = 'user' -description = 'Hostname of the backup target host' +description = 'Restic repository' +example = 's3:https://s3.garage.tld' -[secrets."backup/target_ssh_port"] +[secrets."plume/backup_restic_password"] type = 'user' -description = 'SSH port number to connect to the target host' +description = 'Restic password to encrypt backups' -[secrets."backup/target_ssh_dir"] +[secrets."plume/backup_aws_secret_access_key"] type = 'user' -description = 'Directory where to store backups on target host' +description = 'Backup AWS secret access key' -[secrets."backup/target_ssh_user"] +[secrets."plume/backup_aws_access_key_id"] type = 'user' -description = 'SSH username to log in as on the target host' +description = 'Backup AWS access key ID' -[secrets."backup/target_ssh_fingerprint"] + +# Dovecot backup + +[secrets."email/dovecot/backup_restic_password"] type = 'user' -description = 'SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)' +description = 'Restic backup password to encrypt data' -[secrets."backup/id_ed25519"] +[secrets."email/dovecot/backup_aws_secret_access_key"] type = 'user' -multiline = true -description = 'Private ed25519 key of the container doing the backup' +description = 'AWS Secret Access key' -[secrets."backup/id_ed25519.pub"] +[secrets."email/dovecot/backup_restic_repository"] type = 'user' -description = 'Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)' +description = 'Restic Repository URL, check op_guide/backup-minio to see the format' +[secrets."email/dovecot/backup_aws_access_key_id"] +type = 'user' +description = 'AWS Acces Key ID' -- cgit v1.2.3