Merge pull request 'updated version of secretmgr' (#5) from new-secretmgr into main
Reviewed-on: #5
This commit is contained in:
commit
3847c08181
151 changed files with 1147 additions and 568 deletions
92
cluster/prod/app/backup/secrets.toml
Normal file
92
cluster/prod/app/backup/secrets.toml
Normal file
|
@ -0,0 +1,92 @@
|
||||||
|
# Cryptpad backup
|
||||||
|
|
||||||
|
[secrets."backup/cryptpad/backup_restic_password"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic password to encrypt backups'
|
||||||
|
|
||||||
|
[secrets."backup/cryptpad/backup_aws_secret_access_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Backup AWS secret access key'
|
||||||
|
|
||||||
|
[secrets."backup/cryptpad/backup_restic_repository"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic repository'
|
||||||
|
example = 's3:https://s3.garage.tld'
|
||||||
|
|
||||||
|
[secrets."backup/cryptpad/backup_aws_access_key_id"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Backup AWS access key ID'
|
||||||
|
|
||||||
|
|
||||||
|
# Consul backup
|
||||||
|
|
||||||
|
[secrets."backup/consul/backup_restic_password"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic password to encrypt backups'
|
||||||
|
|
||||||
|
[secrets."backup/consul/backup_aws_secret_access_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Backup AWS secret access key'
|
||||||
|
|
||||||
|
[secrets."backup/consul/backup_restic_repository"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic repository'
|
||||||
|
example = 's3:https://s3.garage.tld'
|
||||||
|
|
||||||
|
[secrets."backup/consul/backup_aws_access_key_id"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Backup AWS access key ID'
|
||||||
|
|
||||||
|
|
||||||
|
# Postgresql backup
|
||||||
|
|
||||||
|
[secrets."postgres/backup/aws_access_key_id"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Minio access key'
|
||||||
|
|
||||||
|
[secrets."postgres/backup/aws_secret_access_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Minio secret key'
|
||||||
|
|
||||||
|
[secrets."postgres/backup/crypt_public_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'A public key to encypt backups with age'
|
||||||
|
|
||||||
|
|
||||||
|
# Plume backup
|
||||||
|
|
||||||
|
[secrets."plume/backup_restic_repository"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic repository'
|
||||||
|
example = 's3:https://s3.garage.tld'
|
||||||
|
|
||||||
|
[secrets."plume/backup_restic_password"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic password to encrypt backups'
|
||||||
|
|
||||||
|
[secrets."plume/backup_aws_secret_access_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Backup AWS secret access key'
|
||||||
|
|
||||||
|
[secrets."plume/backup_aws_access_key_id"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Backup AWS access key ID'
|
||||||
|
|
||||||
|
|
||||||
|
# Dovecot backup
|
||||||
|
|
||||||
|
[secrets."email/dovecot/backup_restic_password"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic backup password to encrypt data'
|
||||||
|
|
||||||
|
[secrets."email/dovecot/backup_aws_secret_access_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'AWS Secret Access key'
|
||||||
|
|
||||||
|
[secrets."email/dovecot/backup_restic_repository"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic Repository URL, check op_guide/backup-minio to see the format'
|
||||||
|
|
||||||
|
[secrets."email/dovecot/backup_aws_access_key_id"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'AWS Acces Key ID'
|
|
@ -1 +0,0 @@
|
||||||
USER Backup AWS access key ID
|
|
|
@ -1 +0,0 @@
|
||||||
USER Backup AWS secret access key
|
|
|
@ -1 +0,0 @@
|
||||||
USER Restic password to encrypt backups
|
|
|
@ -1 +0,0 @@
|
||||||
USER Restic repository, eg. s3:https://s3.garage.tld
|
|
|
@ -1 +0,0 @@
|
||||||
USER Backup AWS access key ID
|
|
|
@ -1 +0,0 @@
|
||||||
USER Backup AWS secret access key
|
|
|
@ -1 +0,0 @@
|
||||||
USER Restic password to encrypt backups
|
|
|
@ -1 +0,0 @@
|
||||||
USER Restic repository, eg. s3:https://s3.garage.tld
|
|
|
@ -1 +0,0 @@
|
||||||
USER_LONG Private ed25519 key of the container doing the backup
|
|
|
@ -1 +0,0 @@
|
||||||
USER Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)
|
|
|
@ -1 +0,0 @@
|
||||||
USER Minio access key
|
|
|
@ -1 +0,0 @@
|
||||||
USER Minio secret key
|
|
|
@ -1 +0,0 @@
|
||||||
USER a private key to decript backups from age
|
|
|
@ -1 +0,0 @@
|
||||||
USER A public key to encypt backups with age
|
|
|
@ -1 +0,0 @@
|
||||||
USER Directory where to store backups on target host
|
|
|
@ -1 +0,0 @@
|
||||||
USER SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)
|
|
|
@ -1 +0,0 @@
|
||||||
USER Hostname of the backup target host
|
|
|
@ -1 +0,0 @@
|
||||||
USER SSH port number to connect to the target host
|
|
|
@ -1 +0,0 @@
|
||||||
USER SSH username to log in as on the target host
|
|
5
cluster/prod/app/core/secrets.toml
Normal file
5
cluster/prod/app/core/secrets.toml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
[secrets."directory/ldap_base_dn"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'LDAP base DN for everything'
|
||||||
|
example = 'dc=example,dc=com'
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
USER LDAP base DN for everything (e.g. dc=example,dc=com)
|
|
48
cluster/prod/app/drone-ci/secrets.toml
Normal file
48
cluster/prod/app/drone-ci/secrets.toml
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
# Drone's secrets
|
||||||
|
|
||||||
|
[secrets."drone-ci/rpc_secret"]
|
||||||
|
type = 'command'
|
||||||
|
command = 'openssl rand -hex 16'
|
||||||
|
# don't rotate, it would break all runners
|
||||||
|
|
||||||
|
[secrets."drone-ci/cookie_secret"]
|
||||||
|
type = 'command'
|
||||||
|
rotate = true
|
||||||
|
command = 'openssl rand -hex 16'
|
||||||
|
|
||||||
|
[secrets."drone-ci/db_enc_secret"]
|
||||||
|
type = 'command'
|
||||||
|
command = 'openssl rand -hex 16'
|
||||||
|
# don't rotate, it is used to encrypt data which we would lose if we change this
|
||||||
|
|
||||||
|
|
||||||
|
# Oauth config for gitea
|
||||||
|
|
||||||
|
[secrets."drone-ci/oauth_client_secret"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'OAuth client secret (for gitea)'
|
||||||
|
|
||||||
|
[secrets."drone-ci/oauth_client_id"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'OAuth client ID (on Gitea)'
|
||||||
|
|
||||||
|
|
||||||
|
# S3 config for Git LFS storage
|
||||||
|
|
||||||
|
[secrets."drone-ci/s3_db_bucket"]
|
||||||
|
type = 'constant'
|
||||||
|
value = 'drone-db'
|
||||||
|
|
||||||
|
[secrets."drone-ci/s3_sk"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'S3 (garage) secret key for Drone'
|
||||||
|
|
||||||
|
[secrets."drone-ci/s3_ak"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'S3 (garage) access key for Drone'
|
||||||
|
|
||||||
|
[secrets."drone-ci/s3_storage_bucket"]
|
||||||
|
type = 'constant'
|
||||||
|
value = 'drone-storage'
|
||||||
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -hex 16
|
|
|
@ -1 +0,0 @@
|
||||||
CMD_ONCE openssl rand -hex 16
|
|
|
@ -1 +0,0 @@
|
||||||
USER OAuth client ID (on Gitea)
|
|
|
@ -1 +0,0 @@
|
||||||
USER OAuth client secret (for gitea)
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -hex 16
|
|
|
@ -1 +0,0 @@
|
||||||
USER S3 (garage) access key for Drone
|
|
|
@ -1 +0,0 @@
|
||||||
CONST drone-db
|
|
|
@ -1 +0,0 @@
|
||||||
USER S3 (garage) secret key for Drone
|
|
|
@ -1 +0,0 @@
|
||||||
CONST drone-storage
|
|
|
@ -1,13 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr"
|
|
||||||
openssl req \
|
|
||||||
-new \
|
|
||||||
-newkey rsa:4096 \
|
|
||||||
-days 3650 \
|
|
||||||
-nodes \
|
|
||||||
-x509 \
|
|
||||||
-subj ${TLSINFO} \
|
|
||||||
-keyout dovecot.key \
|
|
||||||
-out dovecot.crt
|
|
||||||
|
|
|
@ -1,13 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr"
|
|
||||||
openssl req \
|
|
||||||
-new \
|
|
||||||
-newkey rsa:4096 \
|
|
||||||
-days 3650 \
|
|
||||||
-nodes \
|
|
||||||
-x509 \
|
|
||||||
-subj ${TLSINFO} \
|
|
||||||
-keyout postfix.key \
|
|
||||||
-out postfix.crt
|
|
||||||
|
|
|
@ -150,13 +150,11 @@ job "email" {
|
||||||
|
|
||||||
# ----- secrets ------
|
# ----- secrets ------
|
||||||
template {
|
template {
|
||||||
# data = "{{ key \"secrets/email/dovecot/dovecot.crt\" }}"
|
|
||||||
data = "{{ with $d := key \"tricot/certs/imap.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
|
data = "{{ with $d := key \"tricot/certs/imap.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
|
||||||
destination = "secrets/ssl/certs/dovecot.crt"
|
destination = "secrets/ssl/certs/dovecot.crt"
|
||||||
perms = "400"
|
perms = "400"
|
||||||
}
|
}
|
||||||
template {
|
template {
|
||||||
# data = "{{ key \"secrets/email/dovecot/dovecot.key\" }}"
|
|
||||||
data = "{{ with $d := key \"tricot/certs/imap.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
|
data = "{{ with $d := key \"tricot/certs/imap.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
|
||||||
destination = "secrets/ssl/private/dovecot.key"
|
destination = "secrets/ssl/private/dovecot.key"
|
||||||
perms = "400"
|
perms = "400"
|
||||||
|
@ -381,14 +379,12 @@ job "email" {
|
||||||
|
|
||||||
# --- secrets ---
|
# --- secrets ---
|
||||||
template {
|
template {
|
||||||
# data = "{{ key \"secrets/email/postfix/postfix.crt\" }}"
|
|
||||||
data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
|
data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
|
||||||
destination = "secrets/ssl/postfix.crt"
|
destination = "secrets/ssl/postfix.crt"
|
||||||
perms = "400"
|
perms = "400"
|
||||||
}
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
# data = "{{ key \"secrets/email/postfix/postfix.key\" }}"
|
|
||||||
data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
|
data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
|
||||||
destination = "secrets/ssl/postfix.key"
|
destination = "secrets/ssl/postfix.key"
|
||||||
perms = "400"
|
perms = "400"
|
||||||
|
|
23
cluster/prod/app/email/secrets.toml
Normal file
23
cluster/prod/app/email/secrets.toml
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
# ---- POSTFIX ----
|
||||||
|
|
||||||
|
[secrets."email/dkim/smtp.private"]
|
||||||
|
type = 'RSA_PRIVATE_KEY'
|
||||||
|
name = 'dkim'
|
||||||
|
|
||||||
|
# ---- DOVECOT ----
|
||||||
|
|
||||||
|
[service_users."dovecot"]
|
||||||
|
dn_secret = "email/dovecot/ldap_binddn"
|
||||||
|
password_secret = "email/dovecot/ldap_bindpwd"
|
||||||
|
|
||||||
|
|
||||||
|
# ---- SOGO ----
|
||||||
|
|
||||||
|
[service_users."sogo"]
|
||||||
|
dn_secret = "email/sogo/ldap_binddn"
|
||||||
|
password_secret = "email/sogo/ldap_bindpw"
|
||||||
|
|
||||||
|
[secrets."email/sogo/postgre_auth"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)'
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
RSA_PRIVATE_KEY dkim
|
|
|
@ -1 +0,0 @@
|
||||||
USER AWS Acces Key ID
|
|
|
@ -1 +0,0 @@
|
||||||
USER AWS Secret Access key
|
|
|
@ -1 +0,0 @@
|
||||||
USER Restic backup password to encrypt data
|
|
|
@ -1 +0,0 @@
|
||||||
USER Restic Repository URL, check op_guide/backup-minio to see the format
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_CERT dovecot deuxfleurs.fr
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_KEY dovecot
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_DN dovecot Dovecot IMAP server
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_PASSWORD dovecot
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_CERT postfix deuxfleurs.fr
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_KEY postfix
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_DN sogo SoGo email frontend
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_PASSWORD sogo
|
|
|
@ -1 +0,0 @@
|
||||||
USER SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)
|
|
14
cluster/prod/app/garage/secrets.toml
Normal file
14
cluster/prod/app/garage/secrets.toml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
[secrets."garage/rpc_secret"]
|
||||||
|
type = 'command'
|
||||||
|
command = 'openssl rand -hex 32'
|
||||||
|
# can't auto-rotate, because we still have some nodes outside of Nomad
|
||||||
|
|
||||||
|
[secrets."garage/admin_token"]
|
||||||
|
type = 'command'
|
||||||
|
command = 'openssl rand -hex 32'
|
||||||
|
rotate = true
|
||||||
|
|
||||||
|
[secrets."garage/metrics_token"]
|
||||||
|
type = 'command'
|
||||||
|
command = 'openssl rand -hex 32'
|
||||||
|
rotate = true
|
|
@ -1 +0,0 @@
|
||||||
CMD_ONCE openssl rand -hex 32
|
|
|
@ -1 +0,0 @@
|
||||||
CMD_ONCE openssl rand -hex 32
|
|
|
@ -1 +0,0 @@
|
||||||
CMD_ONCE openssl rand -hex 32
|
|
51
cluster/prod/app/guichet/secrets.toml
Normal file
51
cluster/prod/app/guichet/secrets.toml
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
# General configuration
|
||||||
|
|
||||||
|
[secrets."directory/guichet/web_hostname"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)'
|
||||||
|
|
||||||
|
|
||||||
|
# Mailing configuration
|
||||||
|
|
||||||
|
[secrets."directory/guichet/smtp_user"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'SMTP username'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/smtp_pass"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'SMTP password'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/smtp_server"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'SMTP server address (hostname:port)'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/mail_from"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'E-mail address from which to send welcome emails to new users'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/mail_domain"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'E-mail domain for new users (e.g. example.com)'
|
||||||
|
|
||||||
|
|
||||||
|
# S3 configuration
|
||||||
|
|
||||||
|
[secrets."directory/guichet/s3_endpoint"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'S3 endpoint URL'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/s3_bucket"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'S3 bucket in which to store data files (such as profile pictures)'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/s3_region"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'S3 region'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/s3_access_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Garage access key for Guichet profile pictures'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/s3_secret_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Garage secret key for Guichet profile pictures'
|
|
@ -1 +0,0 @@
|
||||||
USER E-mail domain for new users (e.g. example.com)
|
|
|
@ -1 +0,0 @@
|
||||||
USER E-mail address from which to send welcome emails to new users
|
|
|
@ -1 +0,0 @@
|
||||||
USER Garage access key for Guichet profile pictures
|
|
|
@ -1 +0,0 @@
|
||||||
USER S3 bucket in which to store data files (such as profile pictures)
|
|
|
@ -1 +0,0 @@
|
||||||
USER S3 endpoint URL
|
|
|
@ -1 +0,0 @@
|
||||||
USER S3 region
|
|
|
@ -1 +0,0 @@
|
||||||
USER Garage secret key for Guichet profile pictures
|
|
|
@ -1 +0,0 @@
|
||||||
USER SMTP password
|
|
|
@ -1 +0,0 @@
|
||||||
USER SMTP server address (hostname:port)
|
|
|
@ -1 +0,0 @@
|
||||||
USER SMTP username
|
|
|
@ -1 +0,0 @@
|
||||||
USER Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)
|
|
36
cluster/prod/app/jitsi/secrets.toml
Normal file
36
cluster/prod/app/jitsi/secrets.toml
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
# Jitsi secrets
|
||||||
|
|
||||||
|
[secrets."jitsi/jvb_pass"]
|
||||||
|
type = 'command'
|
||||||
|
rotate = true
|
||||||
|
command = 'openssl rand -base64 24'
|
||||||
|
|
||||||
|
[secrets."jitsi/jicofo_pass"]
|
||||||
|
type = 'command'
|
||||||
|
rotate = true
|
||||||
|
command = 'openssl rand -base64 24'
|
||||||
|
|
||||||
|
|
||||||
|
# SSL: Jitsi
|
||||||
|
|
||||||
|
[secrets."jitsi/jitsi.crt"]
|
||||||
|
type = 'SSL_CERT'
|
||||||
|
name = 'jitsi'
|
||||||
|
cert_domains = "['jitsi']"
|
||||||
|
|
||||||
|
[secrets."jitsi/jitsi.key"]
|
||||||
|
type = 'SSL_KEY'
|
||||||
|
name = 'jitsi'
|
||||||
|
|
||||||
|
|
||||||
|
# SSL: Jitsi auth
|
||||||
|
|
||||||
|
[secrets."jitsi/auth.jitsi.crt"]
|
||||||
|
type = 'SSL_CERT'
|
||||||
|
name = 'jitsi_auth'
|
||||||
|
cert_domains = "['auth.jitsi']"
|
||||||
|
|
||||||
|
[secrets."jitsi/auth.jitsi.key"]
|
||||||
|
type = 'SSL_KEY'
|
||||||
|
name = 'jitsi_auth'
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_CERT jitsi_auth auth.jitsi
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_KEY jitsi_auth auth.jitsi
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -base64 24
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_CERT jitsi jitsi
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_KEY jitsi jitsi
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -base64 24
|
|
|
@ -1,22 +1,6 @@
|
||||||
# vim:ft=yaml
|
# vim:ft=yaml
|
||||||
|
|
||||||
server_name: "deuxfleurs.fr"
|
server_name: "deuxfleurs.fr"
|
||||||
# PEM encoded X509 certificate for TLS.
|
|
||||||
# You can replace the self-signed certificate that synapse
|
|
||||||
# autogenerates on launch with your own SSL certificate + key pair
|
|
||||||
# if you like. Any required intermediary certificates can be
|
|
||||||
# appended after the primary certificate in hierarchical order.
|
|
||||||
tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt"
|
|
||||||
|
|
||||||
# PEM encoded private key for TLS
|
|
||||||
tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key"
|
|
||||||
|
|
||||||
# PEM dh parameters for ephemeral keys
|
|
||||||
tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh"
|
|
||||||
|
|
||||||
# Don't bind to the https port
|
|
||||||
no_tls: True
|
|
||||||
|
|
||||||
|
|
||||||
## Server ##
|
## Server ##
|
||||||
|
|
||||||
|
|
|
@ -54,21 +54,6 @@ job "matrix" {
|
||||||
}
|
}
|
||||||
|
|
||||||
# --- secrets ---
|
# --- secrets ---
|
||||||
template {
|
|
||||||
data = "{{ key \"secrets/chat/synapse/homeserver.tls.crt\" }}"
|
|
||||||
destination = "secrets/conf/homeserver.tls.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
template {
|
|
||||||
data = "{{ key \"secrets/chat/synapse/homeserver.tls.dh\" }}"
|
|
||||||
destination = "secrets/conf/homeserver.tls.dh"
|
|
||||||
}
|
|
||||||
|
|
||||||
template {
|
|
||||||
data = "{{ key \"secrets/chat/synapse/homeserver.tls.key\" }}"
|
|
||||||
destination = "secrets/conf/homeserver.tls.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = "{{ key \"secrets/chat/synapse/homeserver.signing.key\" }}"
|
data = "{{ key \"secrets/chat/synapse/homeserver.signing.key\" }}"
|
||||||
destination = "secrets/conf/homeserver.signing.key"
|
destination = "secrets/conf/homeserver.signing.key"
|
||||||
|
|
81
cluster/prod/app/matrix/secrets.toml
Normal file
81
cluster/prod/app/matrix/secrets.toml
Normal file
|
@ -0,0 +1,81 @@
|
||||||
|
[service_users."matrix"]
|
||||||
|
description = 'Matrix service user'
|
||||||
|
dn_secret = 'chat/synapse/ldap_binddn'
|
||||||
|
password_secret = 'chat/synapse/ldap_bindpw'
|
||||||
|
|
||||||
|
|
||||||
|
# Postgresql DB
|
||||||
|
|
||||||
|
[secrets."chat/synapse/postgres_db"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Synapse PostgrSQL database name'
|
||||||
|
example = 'synapse'
|
||||||
|
|
||||||
|
[secrets."chat/synapse/postgres_user"]
|
||||||
|
type = 'service_username'
|
||||||
|
service = 'matrix'
|
||||||
|
|
||||||
|
[secrets."chat/synapse/postgres_pwd"]
|
||||||
|
type = 'service_password'
|
||||||
|
service = 'matrix'
|
||||||
|
|
||||||
|
|
||||||
|
# S3 access
|
||||||
|
|
||||||
|
[secrets."chat/synapse/s3_access_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'S3 access key ID for Matrix bucket'
|
||||||
|
|
||||||
|
[secrets."chat/synapse/s3_secret_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'S3 secret access key for Matrix bucket'
|
||||||
|
|
||||||
|
|
||||||
|
# Keys & stuff
|
||||||
|
|
||||||
|
[secrets."chat/synapse/homeserver.signing.key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Synapse homeserver ed25519 signing key'
|
||||||
|
|
||||||
|
[secrets."chat/synapse/registration_shared_secret"]
|
||||||
|
type = 'command'
|
||||||
|
rotate = true
|
||||||
|
command = 'head -c 32 /dev/urandom | base64'
|
||||||
|
|
||||||
|
|
||||||
|
# ===== OLD STUFF, KEPT FOR REFERENCE ====
|
||||||
|
|
||||||
|
# ----------- COTURN -----------
|
||||||
|
|
||||||
|
# [secrets."chat/coturn/static-auth"]
|
||||||
|
# type = 'user'
|
||||||
|
# description = 'coturn static-auth (what is this?)'
|
||||||
|
#
|
||||||
|
# [secrets."chat/coturn/static_auth_secret_zinzdev"]
|
||||||
|
# type = 'user'
|
||||||
|
# description = "Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification."
|
||||||
|
|
||||||
|
|
||||||
|
# ----------- EASYBRIDGE -----------
|
||||||
|
|
||||||
|
# [service_users."easybridge"]
|
||||||
|
# description = 'Easybridge service user'
|
||||||
|
# password_secret = 'chat/easybridge/db_pass'
|
||||||
|
# username_secret = 'chat/easybridge/db_user'
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# [secrets."chat/easybridge/as_token"]
|
||||||
|
# type = 'command'
|
||||||
|
# rotate = true
|
||||||
|
# command = 'openssl rand -hex 32'
|
||||||
|
#
|
||||||
|
# [secrets."chat/easybridge/web_session_key"]
|
||||||
|
# type = 'command'
|
||||||
|
# rotate = true
|
||||||
|
# command = 'openssl rand -hex 32'
|
||||||
|
#
|
||||||
|
# [secrets."chat/easybridge/hs_token"]
|
||||||
|
# type = 'command'
|
||||||
|
# rotate = true
|
||||||
|
# command = 'openssl rand -hex 32'
|
||||||
|
#
|
|
@ -1 +0,0 @@
|
||||||
USER coturn static-auth (what is this?)
|
|
|
@ -1 +0,0 @@
|
||||||
USER Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification.
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -hex 32
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_PASSWORD easybridge
|
|
|
@ -1 +0,0 @@
|
||||||
CONST easybridge
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -hex 32
|
|
|
@ -1,2 +0,0 @@
|
||||||
CMD openssl rand -hex 32
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -hex 32
|
|
|
@ -1 +0,0 @@
|
||||||
USER fb2mx database URL, format: postgres://username:password@hostname/dbname
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -hex 32
|
|
|
@ -1 +0,0 @@
|
||||||
USER Synapse homeserver ed25519 signing key
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_CERT synapse im.deuxfleurs.fr
|
|
|
@ -1 +0,0 @@
|
||||||
USER_LONG DH parameters for matrix ssl key? how does this work?
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_KEY synapse im.deuxfleurs.fr
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_DN matrix Matrix chat server
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_PASSWORD matrix
|
|
|
@ -1 +0,0 @@
|
||||||
CONST synapse
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_PASSWORD matrix
|
|
|
@ -1 +0,0 @@
|
||||||
CONST matrix
|
|
|
@ -1 +0,0 @@
|
||||||
CMD head -c 32 /dev/urandom | base64
|
|
|
@ -1 +0,0 @@
|
||||||
USER matrix
|
|
|
@ -1 +0,0 @@
|
||||||
USER matrix
|
|
10
cluster/prod/app/plume/secrets.toml
Normal file
10
cluster/prod/app/plume/secrets.toml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
[service_user."plume"]
|
||||||
|
password_secret = "plume/pgsql_pw"
|
||||||
|
|
||||||
|
|
||||||
|
[secrets."plume/secret_key"]
|
||||||
|
type = 'command'
|
||||||
|
rotate = true
|
||||||
|
command = 'openssl rand -base64 32'
|
||||||
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
USER Backup AWS access key ID
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue