Document secrets and add stub utility to manage them

app/.gitignore

@@ -1,11 +0,0 @@
-# Blacklist everything cleverly
-*/secrets/*
-!*/secrets/*/
-
-# Whitelist some patterns
-!*.sample
-!*.gen
-!*.sh
-!.gitignore
-
-# Whitelist specific files

app/email/secrets/email/dkim/smtp.private

@@ -0,0 +1 @@
+RSA_PRIVATE_KEY dkim

app/email/secrets/email/dovecot/dovecot.crt

@@ -0,0 +1 @@
+SSL_CERT dovecot deuxfleurs.fr

app/email/secrets/email/dovecot/dovecot.key

@@ -0,0 +1 @@
+SSL_KEY dovecot

app/email/secrets/email/dovecot/ldap_binddn

@@ -0,0 +1 @@
+SERVICE_DN dovecot Dovecot IMAP server

app/email/secrets/email/dovecot/ldap_bindpwd

@@ -0,0 +1 @@
+SERVICE_PASSWORD dovecot

app/email/secrets/email/postfix/postfix.crt

@@ -0,0 +1 @@
+SSL_CERT postfix deuxfleurs.fr

app/email/secrets/email/postfix/postfix.key

@@ -0,0 +1 @@
+SSL_KEY postfix

app/email/secrets/email/sogo/ldap_binddn

@@ -0,0 +1 @@
+SERVICE_DN sogo SoGo email frontend

app/email/secrets/email/sogo/ldap_bindpw

@@ -0,0 +1 @@
+SERVICE_PASSWORD sogo

app/email/secrets/email/sogo/postgre_auth

@@ -0,0 +1 @@
+USER SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)

app/im/secrets/chat/coturn/static-auth

@@ -0,0 +1 @@
+USER cotorn static-auth (what is this?)

app/im/secrets/chat/fb2mx/as_token

@@ -0,0 +1 @@
+USER fb2mx API server token

app/im/secrets/chat/fb2mx/db_url

@@ -0,0 +1 @@
+USER fb2mx database URL, format: postgres://username:password@hostname/dbname

app/im/secrets/chat/fb2mx/db_url.sample

@@ -1 +0,0 @@
-postgres://username:password@hostname/dbname

app/im/secrets/chat/fb2mx/hs_token

@@ -0,0 +1 @@
+USER fb2mx homeserver token

app/im/secrets/chat/synapse/homeserver.tls.crt

@@ -0,0 +1 @@
+SSL_CERT synapse im.deuxfleurs.fr

app/im/secrets/chat/synapse/homeserver.tls.dh

@@ -0,0 +1 @@
+USER_LONG DH parameters for matrix ssl key? how does this work?

app/im/secrets/chat/synapse/homeserver.tls.key

@@ -0,0 +1 @@
+SSL_KEY synapse im.deuxfleurs.fr

app/im/secrets/chat/synapse/ldap_binddn

@@ -0,0 +1 @@
+SERVICE_DN matrix Matrix chat server

app/im/secrets/chat/synapse/ldap_bindpw

@@ -0,0 +1 @@
+SERVICE_PASSWORD matrix

app/im/secrets/chat/synapse/postgres_db

@@ -0,0 +1 @@
+CONST synapse

app/im/secrets/chat/synapse/postgres_pwd

@@ -0,0 +1 @@
+SERVICE_PASSWORD matrix

app/im/secrets/chat/synapse/postgres_user

@@ -0,0 +1 @@
+CONST matrix

app/im/secrets/chat/synapse/registration_shared_secret

@@ -0,0 +1 @@
+USER Shared secret for homeserver registrations (?)

app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt

@@ -0,0 +1 @@
+SSL_CERT jitsi_auth autj.jitsi.deuxfleurs.fr

app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key

@@ -0,0 +1 @@
+SSL_KEY jitsi_auth autj.jitsi.deuxfleurs.fr

app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt

@@ -0,0 +1 @@
+SSL_CERT jitsi jitsi.deuxfleurs.fr

app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key

@@ -0,0 +1 @@
+SSL_KEY jitsi

app/platoo/secrets/platoo/bddpw

@@ -0,0 +1 @@
+SERVICE_PASSWORD platoo

app/postgres/secrets/postgres/keeper/pg_repl_pwd

@@ -0,0 +1 @@
+SERVICE_PASSWORD replicator

app/postgres/secrets/postgres/keeper/pg_repl_username

@@ -0,0 +1 @@
+CONST replicator

app/postgres/secrets/postgres/keeper/pg_su_pwd

@@ -0,0 +1 @@
+SERVICE_PASSWORD postgres

app/seafile/secrets/mariadb/main/ldap_binddn

@@ -0,0 +1 @@
+SERVICE_DN mysql MySQL/MariaDB database

app/seafile/secrets/mariadb/main/ldap_bindpwd

@@ -0,0 +1 @@
+SERVICE_PASSWORD mysql

app/seafile/secrets/mariadb/main/mysql_pwd

@@ -0,0 +1 @@
+USER mysql_pwd (what is this?)

app/seafile/secrets/seafile/conf/mykey.peer

@@ -0,0 +1 @@
+USER Seafile peer key

app/secrets.py

@@ -0,0 +1,44 @@
+#!/usr/bin/env python3
+
+"""
+TODO: this will be a utility to handle secrets in the Consul database
+for the various components of the Deuxfleurs infrastructure
+
+Functionnalities:
+- check that secrets are correctly configured
+- help user fill in secrets
+- create LDAP service users and fill in corresponding secrets
+- maybe one day: manage SSL certificates and keys
+
+It uses files placed in <module_name>/secrets/* to know what secrets
+it should handle. These secret files contain directives for what to do
+about these secrets.
+
+Example directives:
+
+USER <description>
+(a secret that must be filled in by the user)
+
+USER_LONG <description>
+(the same, indicates that the secret fits on several lines)
+
+CONST <constant value>
+(the secret has a constant value set here)
+
+CONST_LONG
+<constant value, several lines>
+(same)
+
+SERVICE_DN <service name> <service description>
+(the LDAP DN of a service user)
+
+SERVICE_PASSWORD <service name>
+(the LDAP password for the corresponding service user)
+
+SSL_CERT <cert name> <list of domains>
+(a SSL domain for the given domains)
+
+SSL_KEY <cert name>
+(the SSL key going with corresponding certificate)
+"""
+

app/web_static/secrets/web/home_token

@@ -0,0 +1 @@
+USER web home_token (what is this?)

app/web_static/secrets/web/quentin.dufour.io_token

@@ -0,0 +1 @@
+USER web quentin.dufour.io token (what is this?)