Document secrets and add stub utility to manage them

This commit is contained in:
Alex 2021-01-16 17:37:34 +01:00
parent c74dc92feb
commit d4d0b100ad
79 changed files with 81 additions and 12 deletions

11
app/.gitignore vendored
View file

@ -1,11 +0,0 @@
# Blacklist everything cleverly
*/secrets/*
!*/secrets/*/
# Whitelist some patterns
!*.sample
!*.gen
!*.sh
!.gitignore
# Whitelist specific files

View file

@ -0,0 +1 @@
RSA_PRIVATE_KEY dkim

View file

@ -0,0 +1 @@
SSL_CERT dovecot deuxfleurs.fr

View file

@ -0,0 +1 @@
SSL_KEY dovecot

View file

@ -0,0 +1 @@
SERVICE_DN dovecot Dovecot IMAP server

View file

@ -0,0 +1 @@
SERVICE_PASSWORD dovecot

View file

@ -0,0 +1 @@
SSL_CERT postfix deuxfleurs.fr

View file

@ -0,0 +1 @@
SSL_KEY postfix

View file

@ -0,0 +1 @@
SERVICE_DN sogo SoGo email frontend

View file

@ -0,0 +1 @@
SERVICE_PASSWORD sogo

View file

@ -0,0 +1 @@
USER SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)

View file

@ -0,0 +1 @@
USER cotorn static-auth (what is this?)

View file

@ -0,0 +1 @@
USER fb2mx API server token

View file

@ -0,0 +1 @@
USER fb2mx database URL, format: postgres://username:password@hostname/dbname

View file

@ -1 +0,0 @@
postgres://username:password@hostname/dbname

View file

@ -0,0 +1 @@
USER fb2mx homeserver token

View file

@ -0,0 +1 @@
SSL_CERT synapse im.deuxfleurs.fr

View file

@ -0,0 +1 @@
USER_LONG DH parameters for matrix ssl key? how does this work?

View file

@ -0,0 +1 @@
SSL_KEY synapse im.deuxfleurs.fr

View file

@ -0,0 +1 @@
SERVICE_DN matrix Matrix chat server

View file

@ -0,0 +1 @@
SERVICE_PASSWORD matrix

View file

@ -0,0 +1 @@
CONST synapse

View file

@ -0,0 +1 @@
SERVICE_PASSWORD matrix

View file

@ -0,0 +1 @@
CONST matrix

View file

@ -0,0 +1 @@
USER Shared secret for homeserver registrations (?)

View file

@ -0,0 +1 @@
SSL_CERT jitsi_auth autj.jitsi.deuxfleurs.fr

View file

@ -0,0 +1 @@
SSL_KEY jitsi_auth autj.jitsi.deuxfleurs.fr

View file

@ -0,0 +1 @@
SSL_CERT jitsi jitsi.deuxfleurs.fr

View file

@ -0,0 +1 @@
SSL_KEY jitsi

View file

@ -0,0 +1 @@
SERVICE_PASSWORD platoo

View file

@ -0,0 +1 @@
SERVICE_PASSWORD replicator

View file

@ -0,0 +1 @@
CONST replicator

View file

@ -0,0 +1 @@
SERVICE_PASSWORD postgres

View file

@ -0,0 +1 @@
SERVICE_DN mysql MySQL/MariaDB database

View file

@ -0,0 +1 @@
SERVICE_PASSWORD mysql

View file

@ -0,0 +1 @@
USER mysql_pwd (what is this?)

View file

@ -0,0 +1 @@
USER Seafile peer key

44
app/secrets.py Normal file
View file

@ -0,0 +1,44 @@
#!/usr/bin/env python3
"""
TODO: this will be a utility to handle secrets in the Consul database
for the various components of the Deuxfleurs infrastructure
Functionnalities:
- check that secrets are correctly configured
- help user fill in secrets
- create LDAP service users and fill in corresponding secrets
- maybe one day: manage SSL certificates and keys
It uses files placed in <module_name>/secrets/* to know what secrets
it should handle. These secret files contain directives for what to do
about these secrets.
Example directives:
USER <description>
(a secret that must be filled in by the user)
USER_LONG <description>
(the same, indicates that the secret fits on several lines)
CONST <constant value>
(the secret has a constant value set here)
CONST_LONG
<constant value, several lines>
(same)
SERVICE_DN <service name> <service description>
(the LDAP DN of a service user)
SERVICE_PASSWORD <service name>
(the LDAP password for the corresponding service user)
SSL_CERT <cert name> <list of domains>
(a SSL domain for the given domains)
SSL_KEY <cert name>
(the SSL key going with corresponding certificate)
"""

View file

@ -0,0 +1 @@
USER web home_token (what is this?)

View file

@ -0,0 +1 @@
USER web quentin.dufour.io token (what is this?)