From 87bb031ed00b7993a29d74aee2e89875c5444caf Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sun, 25 Dec 2022 22:31:18 +0100 Subject: Migrate prod cluster secrets to new format --- cluster/prod/app/email/secrets.toml | 58 ++++++++++++++++++++++ .../prod/app/email/secrets/email/dkim/smtp.private | 1 - .../secrets/email/dovecot/backup_aws_access_key_id | 1 - .../email/dovecot/backup_aws_secret_access_key | 1 - .../secrets/email/dovecot/backup_restic_password | 1 - .../secrets/email/dovecot/backup_restic_repository | 1 - .../app/email/secrets/email/dovecot/dovecot.crt | 1 - .../app/email/secrets/email/dovecot/dovecot.key | 1 - .../app/email/secrets/email/dovecot/ldap_binddn | 1 - .../app/email/secrets/email/dovecot/ldap_bindpwd | 1 - .../app/email/secrets/email/postfix/postfix.crt | 1 - .../app/email/secrets/email/postfix/postfix.key | 1 - .../prod/app/email/secrets/email/sogo/ldap_binddn | 1 - .../prod/app/email/secrets/email/sogo/ldap_bindpw | 1 - .../prod/app/email/secrets/email/sogo/postgre_auth | 1 - 15 files changed, 58 insertions(+), 14 deletions(-) create mode 100644 cluster/prod/app/email/secrets.toml delete mode 100644 cluster/prod/app/email/secrets/email/dkim/smtp.private delete mode 100644 cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id delete mode 100644 cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key delete mode 100644 cluster/prod/app/email/secrets/email/dovecot/backup_restic_password delete mode 100644 cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository delete mode 100644 cluster/prod/app/email/secrets/email/dovecot/dovecot.crt delete mode 100644 cluster/prod/app/email/secrets/email/dovecot/dovecot.key delete mode 100644 cluster/prod/app/email/secrets/email/dovecot/ldap_binddn delete mode 100644 cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd delete mode 100644 cluster/prod/app/email/secrets/email/postfix/postfix.crt delete mode 100644 cluster/prod/app/email/secrets/email/postfix/postfix.key delete mode 100644 cluster/prod/app/email/secrets/email/sogo/ldap_binddn delete mode 100644 cluster/prod/app/email/secrets/email/sogo/ldap_bindpw delete mode 100644 cluster/prod/app/email/secrets/email/sogo/postgre_auth (limited to 'cluster/prod/app/email') diff --git a/cluster/prod/app/email/secrets.toml b/cluster/prod/app/email/secrets.toml new file mode 100644 index 0000000..4efee49 --- /dev/null +++ b/cluster/prod/app/email/secrets.toml @@ -0,0 +1,58 @@ +# ---- POSTFIX ---- + +[secrets."email/postfix/postfix.key"] +type = 'SSL_KEY' +name = 'postfix' + +[secrets."email/postfix/postfix.crt"] +type = 'SSL_CERT' +name = 'postfix' +cert_domains = "['deuxfleurs.fr']" + +[secrets."email/dkim/smtp.private"] +type = 'RSA_PRIVATE_KEY' +name = 'dkim' + +# ---- DOVECOT ---- + +[service_users."dovecot"] +dn_secret = "email/dovecot/ldap_binddn" +password_secret = "email/dovecot/ldap_bindpwd" + + +[secrets."email/dovecot/dovecot.key"] +type = 'SSL_KEY' +name = 'dovecot' + +[secrets."email/dovecot/dovecot.crt"] +type = 'SSL_CERT' +name = 'dovecot' +cert_domains = "['deuxfleurs.fr']" + + +[secrets."email/dovecot/backup_restic_password"] +type = 'user' +description = 'Restic backup password to encrypt data' + +[secrets."email/dovecot/backup_aws_secret_access_key"] +type = 'user' +description = 'AWS Secret Access key' + +[secrets."email/dovecot/backup_restic_repository"] +type = 'user' +description = 'Restic Repository URL, check op_guide/backup-minio to see the format' + +[secrets."email/dovecot/backup_aws_access_key_id"] +type = 'user' +description = 'AWS Acces Key ID' + +# ---- SOGO ---- + +[service_users."sogo"] +dn_secret = "email/sogo/ldap_binddn" +password_secret = "email/sogo/ldap_bindpw" + +[secrets."email/sogo/postgre_auth"] +type = 'user' +description = 'SoGo postgres auth (format: sogo:) (TODO: replace this with two separate files and change template)' + diff --git a/cluster/prod/app/email/secrets/email/dkim/smtp.private b/cluster/prod/app/email/secrets/email/dkim/smtp.private deleted file mode 100644 index 3aa3621..0000000 --- a/cluster/prod/app/email/secrets/email/dkim/smtp.private +++ /dev/null @@ -1 +0,0 @@ -RSA_PRIVATE_KEY dkim diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id b/cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id deleted file mode 100644 index 9ae6adf..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_access_key_id +++ /dev/null @@ -1 +0,0 @@ -USER AWS Acces Key ID diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key b/cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key deleted file mode 100644 index ac95906..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/backup_aws_secret_access_key +++ /dev/null @@ -1 +0,0 @@ -USER AWS Secret Access key diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_password b/cluster/prod/app/email/secrets/email/dovecot/backup_restic_password deleted file mode 100644 index c19a4a3..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_password +++ /dev/null @@ -1 +0,0 @@ -USER Restic backup password to encrypt data diff --git a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository b/cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository deleted file mode 100644 index 0434a15..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/backup_restic_repository +++ /dev/null @@ -1 +0,0 @@ -USER Restic Repository URL, check op_guide/backup-minio to see the format diff --git a/cluster/prod/app/email/secrets/email/dovecot/dovecot.crt b/cluster/prod/app/email/secrets/email/dovecot/dovecot.crt deleted file mode 100644 index 7229cfc..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/dovecot.crt +++ /dev/null @@ -1 +0,0 @@ -SSL_CERT dovecot deuxfleurs.fr diff --git a/cluster/prod/app/email/secrets/email/dovecot/dovecot.key b/cluster/prod/app/email/secrets/email/dovecot/dovecot.key deleted file mode 100644 index 0d42c79..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/dovecot.key +++ /dev/null @@ -1 +0,0 @@ -SSL_KEY dovecot diff --git a/cluster/prod/app/email/secrets/email/dovecot/ldap_binddn b/cluster/prod/app/email/secrets/email/dovecot/ldap_binddn deleted file mode 100644 index da380f2..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/ldap_binddn +++ /dev/null @@ -1 +0,0 @@ -SERVICE_DN dovecot Dovecot IMAP server diff --git a/cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd b/cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd deleted file mode 100644 index 068f663..0000000 --- a/cluster/prod/app/email/secrets/email/dovecot/ldap_bindpwd +++ /dev/null @@ -1 +0,0 @@ -SERVICE_PASSWORD dovecot diff --git a/cluster/prod/app/email/secrets/email/postfix/postfix.crt b/cluster/prod/app/email/secrets/email/postfix/postfix.crt deleted file mode 100644 index f004d67..0000000 --- a/cluster/prod/app/email/secrets/email/postfix/postfix.crt +++ /dev/null @@ -1 +0,0 @@ -SSL_CERT postfix deuxfleurs.fr diff --git a/cluster/prod/app/email/secrets/email/postfix/postfix.key b/cluster/prod/app/email/secrets/email/postfix/postfix.key deleted file mode 100644 index 2cf1706..0000000 --- a/cluster/prod/app/email/secrets/email/postfix/postfix.key +++ /dev/null @@ -1 +0,0 @@ -SSL_KEY postfix diff --git a/cluster/prod/app/email/secrets/email/sogo/ldap_binddn b/cluster/prod/app/email/secrets/email/sogo/ldap_binddn deleted file mode 100644 index df627d3..0000000 --- a/cluster/prod/app/email/secrets/email/sogo/ldap_binddn +++ /dev/null @@ -1 +0,0 @@ -SERVICE_DN sogo SoGo email frontend diff --git a/cluster/prod/app/email/secrets/email/sogo/ldap_bindpw b/cluster/prod/app/email/secrets/email/sogo/ldap_bindpw deleted file mode 100644 index 8d2f35b..0000000 --- a/cluster/prod/app/email/secrets/email/sogo/ldap_bindpw +++ /dev/null @@ -1 +0,0 @@ -SERVICE_PASSWORD sogo diff --git a/cluster/prod/app/email/secrets/email/sogo/postgre_auth b/cluster/prod/app/email/secrets/email/sogo/postgre_auth deleted file mode 100644 index 4f66253..0000000 --- a/cluster/prod/app/email/secrets/email/sogo/postgre_auth +++ /dev/null @@ -1 +0,0 @@ -USER SoGo postgres auth (format: sogo:) (TODO: replace this with two separate files and change template) -- cgit v1.2.3 From 8cee3b0043eda68d982e5359a0d009c83cbb85c4 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sun, 25 Dec 2022 22:45:05 +0100 Subject: Update prod secret files --- cluster/prod/app/email/secrets.toml | 16 ---------------- 1 file changed, 16 deletions(-) (limited to 'cluster/prod/app/email') diff --git a/cluster/prod/app/email/secrets.toml b/cluster/prod/app/email/secrets.toml index 4efee49..95df626 100644 --- a/cluster/prod/app/email/secrets.toml +++ b/cluster/prod/app/email/secrets.toml @@ -30,22 +30,6 @@ name = 'dovecot' cert_domains = "['deuxfleurs.fr']" -[secrets."email/dovecot/backup_restic_password"] -type = 'user' -description = 'Restic backup password to encrypt data' - -[secrets."email/dovecot/backup_aws_secret_access_key"] -type = 'user' -description = 'AWS Secret Access key' - -[secrets."email/dovecot/backup_restic_repository"] -type = 'user' -description = 'Restic Repository URL, check op_guide/backup-minio to see the format' - -[secrets."email/dovecot/backup_aws_access_key_id"] -type = 'user' -description = 'AWS Acces Key ID' - # ---- SOGO ---- [service_users."sogo"] -- cgit v1.2.3 From 40f56707535a7167c1ea1e4bafb0868dfaba8117 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sun, 25 Dec 2022 23:03:37 +0100 Subject: Remove old way of doing email certs (self-signed) --- cluster/prod/app/email/config/dovecot/certs.gen | 13 ------------- cluster/prod/app/email/config/postfix/certs.gen | 13 ------------- cluster/prod/app/email/deploy/email.hcl | 4 ---- cluster/prod/app/email/secrets.toml | 19 ------------------- 4 files changed, 49 deletions(-) delete mode 100755 cluster/prod/app/email/config/dovecot/certs.gen delete mode 100755 cluster/prod/app/email/config/postfix/certs.gen (limited to 'cluster/prod/app/email') diff --git a/cluster/prod/app/email/config/dovecot/certs.gen b/cluster/prod/app/email/config/dovecot/certs.gen deleted file mode 100755 index f26e917..0000000 --- a/cluster/prod/app/email/config/dovecot/certs.gen +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr" -openssl req \ - -new \ - -newkey rsa:4096 \ - -days 3650 \ - -nodes \ - -x509 \ - -subj ${TLSINFO} \ - -keyout dovecot.key \ - -out dovecot.crt - diff --git a/cluster/prod/app/email/config/postfix/certs.gen b/cluster/prod/app/email/config/postfix/certs.gen deleted file mode 100755 index f25439b..0000000 --- a/cluster/prod/app/email/config/postfix/certs.gen +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" -openssl req \ - -new \ - -newkey rsa:4096 \ - -days 3650 \ - -nodes \ - -x509 \ - -subj ${TLSINFO} \ - -keyout postfix.key \ - -out postfix.crt - diff --git a/cluster/prod/app/email/deploy/email.hcl b/cluster/prod/app/email/deploy/email.hcl index 7925975..84f4c3b 100644 --- a/cluster/prod/app/email/deploy/email.hcl +++ b/cluster/prod/app/email/deploy/email.hcl @@ -150,13 +150,11 @@ job "email" { # ----- secrets ------ template { - # data = "{{ key \"secrets/email/dovecot/dovecot.crt\" }}" data = "{{ with $d := key \"tricot/certs/imap.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}" destination = "secrets/ssl/certs/dovecot.crt" perms = "400" } template { - # data = "{{ key \"secrets/email/dovecot/dovecot.key\" }}" data = "{{ with $d := key \"tricot/certs/imap.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}" destination = "secrets/ssl/private/dovecot.key" perms = "400" @@ -381,14 +379,12 @@ job "email" { # --- secrets --- template { - # data = "{{ key \"secrets/email/postfix/postfix.crt\" }}" data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}" destination = "secrets/ssl/postfix.crt" perms = "400" } template { - # data = "{{ key \"secrets/email/postfix/postfix.key\" }}" data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}" destination = "secrets/ssl/postfix.key" perms = "400" diff --git a/cluster/prod/app/email/secrets.toml b/cluster/prod/app/email/secrets.toml index 95df626..6263e33 100644 --- a/cluster/prod/app/email/secrets.toml +++ b/cluster/prod/app/email/secrets.toml @@ -1,14 +1,5 @@ # ---- POSTFIX ---- -[secrets."email/postfix/postfix.key"] -type = 'SSL_KEY' -name = 'postfix' - -[secrets."email/postfix/postfix.crt"] -type = 'SSL_CERT' -name = 'postfix' -cert_domains = "['deuxfleurs.fr']" - [secrets."email/dkim/smtp.private"] type = 'RSA_PRIVATE_KEY' name = 'dkim' @@ -20,16 +11,6 @@ dn_secret = "email/dovecot/ldap_binddn" password_secret = "email/dovecot/ldap_bindpwd" -[secrets."email/dovecot/dovecot.key"] -type = 'SSL_KEY' -name = 'dovecot' - -[secrets."email/dovecot/dovecot.crt"] -type = 'SSL_CERT' -name = 'dovecot' -cert_domains = "['deuxfleurs.fr']" - - # ---- SOGO ---- [service_users."sogo"] -- cgit v1.2.3