Reorganize app/ and add script for secret management #29
79 changed files with 81 additions and 12 deletions
11
app/.gitignore
vendored
11
app/.gitignore
vendored
|
@ -1,11 +0,0 @@
|
||||||
# Blacklist everything cleverly
|
|
||||||
*/secrets/*
|
|
||||||
!*/secrets/*/
|
|
||||||
|
|
||||||
# Whitelist some patterns
|
|
||||||
!*.sample
|
|
||||||
!*.gen
|
|
||||||
!*.sh
|
|
||||||
!.gitignore
|
|
||||||
|
|
||||||
# Whitelist specific files
|
|
1
app/email/secrets/email/dkim/smtp.private
Normal file
1
app/email/secrets/email/dkim/smtp.private
Normal file
|
@ -0,0 +1 @@
|
||||||
|
RSA_PRIVATE_KEY dkim
|
1
app/email/secrets/email/dovecot/dovecot.crt
Normal file
1
app/email/secrets/email/dovecot/dovecot.crt
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SSL_CERT dovecot deuxfleurs.fr
|
1
app/email/secrets/email/dovecot/dovecot.key
Normal file
1
app/email/secrets/email/dovecot/dovecot.key
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SSL_KEY dovecot
|
1
app/email/secrets/email/dovecot/ldap_binddn
Normal file
1
app/email/secrets/email/dovecot/ldap_binddn
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SERVICE_DN dovecot Dovecot IMAP server
|
1
app/email/secrets/email/dovecot/ldap_bindpwd
Normal file
1
app/email/secrets/email/dovecot/ldap_bindpwd
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SERVICE_PASSWORD dovecot
|
1
app/email/secrets/email/postfix/postfix.crt
Normal file
1
app/email/secrets/email/postfix/postfix.crt
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SSL_CERT postfix deuxfleurs.fr
|
1
app/email/secrets/email/postfix/postfix.key
Normal file
1
app/email/secrets/email/postfix/postfix.key
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SSL_KEY postfix
|
1
app/email/secrets/email/sogo/ldap_binddn
Normal file
1
app/email/secrets/email/sogo/ldap_binddn
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SERVICE_DN sogo SoGo email frontend
|
1
app/email/secrets/email/sogo/ldap_bindpw
Normal file
1
app/email/secrets/email/sogo/ldap_bindpw
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SERVICE_PASSWORD sogo
|
1
app/email/secrets/email/sogo/postgre_auth
Normal file
1
app/email/secrets/email/sogo/postgre_auth
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)
|
1
app/im/secrets/chat/coturn/static-auth
Normal file
1
app/im/secrets/chat/coturn/static-auth
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER cotorn static-auth (what is this?)
|
1
app/im/secrets/chat/fb2mx/as_token
Normal file
1
app/im/secrets/chat/fb2mx/as_token
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER fb2mx API server token
|
1
app/im/secrets/chat/fb2mx/db_url
Normal file
1
app/im/secrets/chat/fb2mx/db_url
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER fb2mx database URL, format: postgres://username:password@hostname/dbname
|
|
@ -1 +0,0 @@
|
||||||
postgres://username:password@hostname/dbname
|
|
1
app/im/secrets/chat/fb2mx/hs_token
Normal file
1
app/im/secrets/chat/fb2mx/hs_token
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER fb2mx homeserver token
|
1
app/im/secrets/chat/synapse/homeserver.tls.crt
Normal file
1
app/im/secrets/chat/synapse/homeserver.tls.crt
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SSL_CERT synapse im.deuxfleurs.fr
|
1
app/im/secrets/chat/synapse/homeserver.tls.dh
Normal file
1
app/im/secrets/chat/synapse/homeserver.tls.dh
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER_LONG DH parameters for matrix ssl key? how does this work?
|
1
app/im/secrets/chat/synapse/homeserver.tls.key
Normal file
1
app/im/secrets/chat/synapse/homeserver.tls.key
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SSL_KEY synapse im.deuxfleurs.fr
|
1
app/im/secrets/chat/synapse/ldap_binddn
Normal file
1
app/im/secrets/chat/synapse/ldap_binddn
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SERVICE_DN matrix Matrix chat server
|
1
app/im/secrets/chat/synapse/ldap_bindpw
Normal file
1
app/im/secrets/chat/synapse/ldap_bindpw
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SERVICE_PASSWORD matrix
|
1
app/im/secrets/chat/synapse/postgres_db
Normal file
1
app/im/secrets/chat/synapse/postgres_db
Normal file
|
@ -0,0 +1 @@
|
||||||
|
CONST synapse
|
1
app/im/secrets/chat/synapse/postgres_pwd
Normal file
1
app/im/secrets/chat/synapse/postgres_pwd
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SERVICE_PASSWORD matrix
|
1
app/im/secrets/chat/synapse/postgres_user
Normal file
1
app/im/secrets/chat/synapse/postgres_user
Normal file
|
@ -0,0 +1 @@
|
||||||
|
CONST matrix
|
1
app/im/secrets/chat/synapse/registration_shared_secret
Normal file
1
app/im/secrets/chat/synapse/registration_shared_secret
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER Shared secret for homeserver registrations (?)
|
1
app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt
Normal file
1
app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SSL_CERT jitsi_auth autj.jitsi.deuxfleurs.fr
|
1
app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key
Normal file
1
app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SSL_KEY jitsi_auth autj.jitsi.deuxfleurs.fr
|
1
app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt
Normal file
1
app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SSL_CERT jitsi jitsi.deuxfleurs.fr
|
1
app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key
Normal file
1
app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SSL_KEY jitsi
|
1
app/platoo/secrets/platoo/bddpw
Normal file
1
app/platoo/secrets/platoo/bddpw
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SERVICE_PASSWORD platoo
|
1
app/postgres/secrets/postgres/keeper/pg_repl_pwd
Normal file
1
app/postgres/secrets/postgres/keeper/pg_repl_pwd
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SERVICE_PASSWORD replicator
|
1
app/postgres/secrets/postgres/keeper/pg_repl_username
Normal file
1
app/postgres/secrets/postgres/keeper/pg_repl_username
Normal file
|
@ -0,0 +1 @@
|
||||||
|
CONST replicator
|
1
app/postgres/secrets/postgres/keeper/pg_su_pwd
Normal file
1
app/postgres/secrets/postgres/keeper/pg_su_pwd
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SERVICE_PASSWORD postgres
|
1
app/seafile/secrets/mariadb/main/ldap_binddn
Normal file
1
app/seafile/secrets/mariadb/main/ldap_binddn
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SERVICE_DN mysql MySQL/MariaDB database
|
1
app/seafile/secrets/mariadb/main/ldap_bindpwd
Normal file
1
app/seafile/secrets/mariadb/main/ldap_bindpwd
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SERVICE_PASSWORD mysql
|
1
app/seafile/secrets/mariadb/main/mysql_pwd
Normal file
1
app/seafile/secrets/mariadb/main/mysql_pwd
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER mysql_pwd (what is this?)
|
1
app/seafile/secrets/seafile/conf/mykey.peer
Normal file
1
app/seafile/secrets/seafile/conf/mykey.peer
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER Seafile peer key
|
44
app/secrets.py
Normal file
44
app/secrets.py
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
"""
|
||||||
|
TODO: this will be a utility to handle secrets in the Consul database
|
||||||
|
for the various components of the Deuxfleurs infrastructure
|
||||||
|
|
||||||
|
Functionnalities:
|
||||||
|
- check that secrets are correctly configured
|
||||||
|
- help user fill in secrets
|
||||||
|
- create LDAP service users and fill in corresponding secrets
|
||||||
|
- maybe one day: manage SSL certificates and keys
|
||||||
|
|
||||||
|
It uses files placed in <module_name>/secrets/* to know what secrets
|
||||||
|
it should handle. These secret files contain directives for what to do
|
||||||
|
about these secrets.
|
||||||
|
|
||||||
|
Example directives:
|
||||||
|
|
||||||
|
USER <description>
|
||||||
|
(a secret that must be filled in by the user)
|
||||||
|
|
||||||
|
USER_LONG <description>
|
||||||
|
(the same, indicates that the secret fits on several lines)
|
||||||
|
|
||||||
|
CONST <constant value>
|
||||||
|
(the secret has a constant value set here)
|
||||||
|
|
||||||
|
CONST_LONG
|
||||||
|
<constant value, several lines>
|
||||||
|
(same)
|
||||||
|
|
||||||
|
SERVICE_DN <service name> <service description>
|
||||||
|
(the LDAP DN of a service user)
|
||||||
|
|
||||||
|
SERVICE_PASSWORD <service name>
|
||||||
|
(the LDAP password for the corresponding service user)
|
||||||
|
|
||||||
|
SSL_CERT <cert name> <list of domains>
|
||||||
|
(a SSL domain for the given domains)
|
||||||
|
|
||||||
|
SSL_KEY <cert name>
|
||||||
|
(the SSL key going with corresponding certificate)
|
||||||
|
"""
|
||||||
|
|
1
app/web_static/secrets/web/home_token
Normal file
1
app/web_static/secrets/web/home_token
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER web home_token (what is this?)
|
1
app/web_static/secrets/web/quentin.dufour.io_token
Normal file
1
app/web_static/secrets/web/quentin.dufour.io_token
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER web quentin.dufour.io token (what is this?)
|
Reference in a new issue