Migrate prod cluster secrets to new format
This commit is contained in:
parent
6d6e48c8fa
commit
87bb031ed0
110 changed files with 457 additions and 99 deletions
90
cluster/prod/app/backup/secrets.toml
Normal file
90
cluster/prod/app/backup/secrets.toml
Normal file
|
@ -0,0 +1,90 @@
|
||||||
|
# Cryptpad backup
|
||||||
|
|
||||||
|
[secrets."backup/cryptpad/backup_restic_password"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic password to encrypt backups'
|
||||||
|
|
||||||
|
[secrets."backup/cryptpad/backup_aws_secret_access_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Backup AWS secret access key'
|
||||||
|
|
||||||
|
[secrets."backup/cryptpad/backup_restic_repository"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic repository'
|
||||||
|
example = 's3:https://s3.garage.tld'
|
||||||
|
|
||||||
|
[secrets."backup/cryptpad/backup_aws_access_key_id"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Backup AWS access key ID'
|
||||||
|
|
||||||
|
|
||||||
|
# Consul backup
|
||||||
|
|
||||||
|
[secrets."backup/consul/backup_restic_password"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic password to encrypt backups'
|
||||||
|
|
||||||
|
[secrets."backup/consul/backup_aws_secret_access_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Backup AWS secret access key'
|
||||||
|
|
||||||
|
[secrets."backup/consul/backup_restic_repository"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic repository'
|
||||||
|
example = 's3:https://s3.garage.tld'
|
||||||
|
|
||||||
|
[secrets."backup/consul/backup_aws_access_key_id"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Backup AWS access key ID'
|
||||||
|
|
||||||
|
|
||||||
|
# Postgresql backup
|
||||||
|
|
||||||
|
[secrets."backup/psql/aws_secret_access_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Minio secret key'
|
||||||
|
|
||||||
|
[secrets."backup/psql/aws_access_key_id"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Minio access key'
|
||||||
|
|
||||||
|
[secrets."backup/psql/crypt_public_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'A public key to encypt backups with age'
|
||||||
|
|
||||||
|
[secrets."backup/psql/crypt_private_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'a private key to decript backups from age'
|
||||||
|
|
||||||
|
|
||||||
|
# SSH target config (do we still use this?)
|
||||||
|
|
||||||
|
[secrets."backup/target_ssh_host"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Hostname of the backup target host'
|
||||||
|
|
||||||
|
[secrets."backup/target_ssh_port"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'SSH port number to connect to the target host'
|
||||||
|
|
||||||
|
[secrets."backup/target_ssh_dir"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Directory where to store backups on target host'
|
||||||
|
|
||||||
|
[secrets."backup/target_ssh_user"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'SSH username to log in as on the target host'
|
||||||
|
|
||||||
|
[secrets."backup/target_ssh_fingerprint"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)'
|
||||||
|
|
||||||
|
[secrets."backup/id_ed25519"]
|
||||||
|
type = 'user'
|
||||||
|
multiline = true
|
||||||
|
description = 'Private ed25519 key of the container doing the backup'
|
||||||
|
|
||||||
|
[secrets."backup/id_ed25519.pub"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)'
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
USER Backup AWS access key ID
|
|
|
@ -1 +0,0 @@
|
||||||
USER Backup AWS secret access key
|
|
|
@ -1 +0,0 @@
|
||||||
USER Restic password to encrypt backups
|
|
|
@ -1 +0,0 @@
|
||||||
USER Restic repository, eg. s3:https://s3.garage.tld
|
|
|
@ -1 +0,0 @@
|
||||||
USER Backup AWS access key ID
|
|
|
@ -1 +0,0 @@
|
||||||
USER Backup AWS secret access key
|
|
|
@ -1 +0,0 @@
|
||||||
USER Restic password to encrypt backups
|
|
|
@ -1 +0,0 @@
|
||||||
USER Restic repository, eg. s3:https://s3.garage.tld
|
|
|
@ -1 +0,0 @@
|
||||||
USER_LONG Private ed25519 key of the container doing the backup
|
|
|
@ -1 +0,0 @@
|
||||||
USER Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)
|
|
|
@ -1 +0,0 @@
|
||||||
USER Minio access key
|
|
|
@ -1 +0,0 @@
|
||||||
USER Minio secret key
|
|
|
@ -1 +0,0 @@
|
||||||
USER a private key to decript backups from age
|
|
|
@ -1 +0,0 @@
|
||||||
USER A public key to encypt backups with age
|
|
|
@ -1 +0,0 @@
|
||||||
USER Directory where to store backups on target host
|
|
|
@ -1 +0,0 @@
|
||||||
USER SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)
|
|
|
@ -1 +0,0 @@
|
||||||
USER Hostname of the backup target host
|
|
|
@ -1 +0,0 @@
|
||||||
USER SSH port number to connect to the target host
|
|
|
@ -1 +0,0 @@
|
||||||
USER SSH username to log in as on the target host
|
|
5
cluster/prod/app/core/secrets.toml
Normal file
5
cluster/prod/app/core/secrets.toml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
[secrets."directory/ldap_base_dn"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'LDAP base DN for everything'
|
||||||
|
example = 'dc=example,dc=com'
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
USER LDAP base DN for everything (e.g. dc=example,dc=com)
|
|
47
cluster/prod/app/drone-ci/secrets.toml
Normal file
47
cluster/prod/app/drone-ci/secrets.toml
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
# Drone's secrets
|
||||||
|
|
||||||
|
[secrets."drone-ci/rpc_secret"]
|
||||||
|
type = 'command'
|
||||||
|
rotate = true
|
||||||
|
command = 'openssl rand -hex 16'
|
||||||
|
|
||||||
|
[secrets."drone-ci/cookie_secret"]
|
||||||
|
type = 'command'
|
||||||
|
rotate = true
|
||||||
|
command = 'openssl rand -hex 16'
|
||||||
|
|
||||||
|
[secrets."drone-ci/db_enc_secret"]
|
||||||
|
type = 'command'
|
||||||
|
command = 'openssl rand -hex 16'
|
||||||
|
|
||||||
|
|
||||||
|
# Oauth config for gitea
|
||||||
|
|
||||||
|
[secrets."drone-ci/oauth_client_secret"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'OAuth client secret (for gitea)'
|
||||||
|
|
||||||
|
[secrets."drone-ci/oauth_client_id"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'OAuth client ID (on Gitea)'
|
||||||
|
|
||||||
|
|
||||||
|
# S3 config for Git LFS storage
|
||||||
|
|
||||||
|
[secrets."drone-ci/s3_db_bucket"]
|
||||||
|
type = 'constant'
|
||||||
|
value = 'drone-db'
|
||||||
|
|
||||||
|
[secrets."drone-ci/s3_sk"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'S3 (garage) secret key for Drone'
|
||||||
|
|
||||||
|
[secrets."drone-ci/s3_ak"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'S3 (garage) access key for Drone'
|
||||||
|
|
||||||
|
[secrets."drone-ci/s3_storage_bucket"]
|
||||||
|
type = 'constant'
|
||||||
|
value = 'drone-storage'
|
||||||
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -hex 16
|
|
|
@ -1 +0,0 @@
|
||||||
CMD_ONCE openssl rand -hex 16
|
|
|
@ -1 +0,0 @@
|
||||||
USER OAuth client ID (on Gitea)
|
|
|
@ -1 +0,0 @@
|
||||||
USER OAuth client secret (for gitea)
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -hex 16
|
|
|
@ -1 +0,0 @@
|
||||||
USER S3 (garage) access key for Drone
|
|
|
@ -1 +0,0 @@
|
||||||
CONST drone-db
|
|
|
@ -1 +0,0 @@
|
||||||
USER S3 (garage) secret key for Drone
|
|
|
@ -1 +0,0 @@
|
||||||
CONST drone-storage
|
|
58
cluster/prod/app/email/secrets.toml
Normal file
58
cluster/prod/app/email/secrets.toml
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
# ---- POSTFIX ----
|
||||||
|
|
||||||
|
[secrets."email/postfix/postfix.key"]
|
||||||
|
type = 'SSL_KEY'
|
||||||
|
name = 'postfix'
|
||||||
|
|
||||||
|
[secrets."email/postfix/postfix.crt"]
|
||||||
|
type = 'SSL_CERT'
|
||||||
|
name = 'postfix'
|
||||||
|
cert_domains = "['deuxfleurs.fr']"
|
||||||
|
|
||||||
|
[secrets."email/dkim/smtp.private"]
|
||||||
|
type = 'RSA_PRIVATE_KEY'
|
||||||
|
name = 'dkim'
|
||||||
|
|
||||||
|
# ---- DOVECOT ----
|
||||||
|
|
||||||
|
[service_users."dovecot"]
|
||||||
|
dn_secret = "email/dovecot/ldap_binddn"
|
||||||
|
password_secret = "email/dovecot/ldap_bindpwd"
|
||||||
|
|
||||||
|
|
||||||
|
[secrets."email/dovecot/dovecot.key"]
|
||||||
|
type = 'SSL_KEY'
|
||||||
|
name = 'dovecot'
|
||||||
|
|
||||||
|
[secrets."email/dovecot/dovecot.crt"]
|
||||||
|
type = 'SSL_CERT'
|
||||||
|
name = 'dovecot'
|
||||||
|
cert_domains = "['deuxfleurs.fr']"
|
||||||
|
|
||||||
|
|
||||||
|
[secrets."email/dovecot/backup_restic_password"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic backup password to encrypt data'
|
||||||
|
|
||||||
|
[secrets."email/dovecot/backup_aws_secret_access_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'AWS Secret Access key'
|
||||||
|
|
||||||
|
[secrets."email/dovecot/backup_restic_repository"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic Repository URL, check op_guide/backup-minio to see the format'
|
||||||
|
|
||||||
|
[secrets."email/dovecot/backup_aws_access_key_id"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'AWS Acces Key ID'
|
||||||
|
|
||||||
|
# ---- SOGO ----
|
||||||
|
|
||||||
|
[service_users."sogo"]
|
||||||
|
dn_secret = "email/sogo/ldap_binddn"
|
||||||
|
password_secret = "email/sogo/ldap_bindpw"
|
||||||
|
|
||||||
|
[secrets."email/sogo/postgre_auth"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)'
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
RSA_PRIVATE_KEY dkim
|
|
|
@ -1 +0,0 @@
|
||||||
USER AWS Acces Key ID
|
|
|
@ -1 +0,0 @@
|
||||||
USER AWS Secret Access key
|
|
|
@ -1 +0,0 @@
|
||||||
USER Restic backup password to encrypt data
|
|
|
@ -1 +0,0 @@
|
||||||
USER Restic Repository URL, check op_guide/backup-minio to see the format
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_CERT dovecot deuxfleurs.fr
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_KEY dovecot
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_DN dovecot Dovecot IMAP server
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_PASSWORD dovecot
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_CERT postfix deuxfleurs.fr
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_KEY postfix
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_DN sogo SoGo email frontend
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_PASSWORD sogo
|
|
|
@ -1 +0,0 @@
|
||||||
USER SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)
|
|
14
cluster/prod/app/garage/secrets.toml
Normal file
14
cluster/prod/app/garage/secrets.toml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
[secrets."garage/rpc_secret"]
|
||||||
|
type = 'command'
|
||||||
|
command = 'openssl rand -hex 32'
|
||||||
|
# can't auto-rotate, because we still have some nodes outside of Nomad
|
||||||
|
|
||||||
|
[secrets."garage/admin_token"]
|
||||||
|
type = 'command'
|
||||||
|
command = 'openssl rand -hex 32'
|
||||||
|
rotate = true
|
||||||
|
|
||||||
|
[secrets."garage/metrics_token"]
|
||||||
|
type = 'command'
|
||||||
|
command = 'openssl rand -hex 32'
|
||||||
|
rotate = true
|
|
@ -1 +0,0 @@
|
||||||
CMD_ONCE openssl rand -hex 32
|
|
|
@ -1 +0,0 @@
|
||||||
CMD_ONCE openssl rand -hex 32
|
|
|
@ -1 +0,0 @@
|
||||||
CMD_ONCE openssl rand -hex 32
|
|
51
cluster/prod/app/guichet/secrets.toml
Normal file
51
cluster/prod/app/guichet/secrets.toml
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
# General configuration
|
||||||
|
|
||||||
|
[secrets."directory/guichet/web_hostname"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)'
|
||||||
|
|
||||||
|
|
||||||
|
# Mailing configuration
|
||||||
|
|
||||||
|
[secrets."directory/guichet/smtp_user"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'SMTP username'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/smtp_pass"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'SMTP password'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/smtp_server"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'SMTP server address (hostname:port)'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/mail_from"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'E-mail address from which to send welcome emails to new users'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/mail_domain"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'E-mail domain for new users (e.g. example.com)'
|
||||||
|
|
||||||
|
|
||||||
|
# S3 configuration
|
||||||
|
|
||||||
|
[secrets."directory/guichet/s3_endpoint"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'S3 endpoint URL'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/s3_bucket"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'S3 bucket in which to store data files (such as profile pictures)'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/s3_region"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'S3 region'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/s3_access_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Garage access key for Guichet profile pictures'
|
||||||
|
|
||||||
|
[secrets."directory/guichet/s3_secret_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Garage secret key for Guichet profile pictures'
|
|
@ -1 +0,0 @@
|
||||||
USER E-mail domain for new users (e.g. example.com)
|
|
|
@ -1 +0,0 @@
|
||||||
USER E-mail address from which to send welcome emails to new users
|
|
|
@ -1 +0,0 @@
|
||||||
USER Garage access key for Guichet profile pictures
|
|
|
@ -1 +0,0 @@
|
||||||
USER S3 bucket in which to store data files (such as profile pictures)
|
|
|
@ -1 +0,0 @@
|
||||||
USER S3 endpoint URL
|
|
|
@ -1 +0,0 @@
|
||||||
USER S3 region
|
|
|
@ -1 +0,0 @@
|
||||||
USER Garage secret key for Guichet profile pictures
|
|
|
@ -1 +0,0 @@
|
||||||
USER SMTP password
|
|
|
@ -1 +0,0 @@
|
||||||
USER SMTP server address (hostname:port)
|
|
|
@ -1 +0,0 @@
|
||||||
USER SMTP username
|
|
|
@ -1 +0,0 @@
|
||||||
USER Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)
|
|
36
cluster/prod/app/jitsi/secrets.toml
Normal file
36
cluster/prod/app/jitsi/secrets.toml
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
# Jitsi secrets
|
||||||
|
|
||||||
|
[secrets."jitsi/jvb_pass"]
|
||||||
|
type = 'command'
|
||||||
|
rotate = true
|
||||||
|
command = 'openssl rand -base64 24'
|
||||||
|
|
||||||
|
[secrets."jitsi/jicofo_pass"]
|
||||||
|
type = 'command'
|
||||||
|
rotate = true
|
||||||
|
command = 'openssl rand -base64 24'
|
||||||
|
|
||||||
|
|
||||||
|
# SSL: Jitsi
|
||||||
|
|
||||||
|
[secrets."jitsi/jitsi.crt"]
|
||||||
|
type = 'SSL_CERT'
|
||||||
|
name = 'jitsi'
|
||||||
|
cert_domains = "['jitsi']"
|
||||||
|
|
||||||
|
[secrets."jitsi/jitsi.key"]
|
||||||
|
type = 'SSL_KEY'
|
||||||
|
name = 'jitsi'
|
||||||
|
|
||||||
|
|
||||||
|
# SSL: Jitsi auth
|
||||||
|
|
||||||
|
[secrets."jitsi/auth.jitsi.crt"]
|
||||||
|
type = 'SSL_CERT'
|
||||||
|
name = 'jitsi_auth'
|
||||||
|
cert_domains = "['auth.jitsi']"
|
||||||
|
|
||||||
|
[secrets."jitsi/auth.jitsi.key"]
|
||||||
|
type = 'SSL_KEY'
|
||||||
|
name = 'jitsi_auth'
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_CERT jitsi_auth auth.jitsi
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_KEY jitsi_auth auth.jitsi
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -base64 24
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_CERT jitsi jitsi
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_KEY jitsi jitsi
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -base64 24
|
|
92
cluster/prod/app/matrix/secrets.toml
Normal file
92
cluster/prod/app/matrix/secrets.toml
Normal file
|
@ -0,0 +1,92 @@
|
||||||
|
[service_users."matrix"]
|
||||||
|
description = 'Matrix service user'
|
||||||
|
dn_secret = 'chat/synapse/ldap_binddn'
|
||||||
|
password_secret = 'chat/synapse/ldap_bindpw'
|
||||||
|
|
||||||
|
|
||||||
|
# Postgresql DB
|
||||||
|
|
||||||
|
[secrets."chat/synapse/postgres_db"]
|
||||||
|
type = 'constant'
|
||||||
|
value = 'synapse'
|
||||||
|
|
||||||
|
[secrets."chat/synapse/postgres_user"]
|
||||||
|
type = 'service_username'
|
||||||
|
service = 'matrix'
|
||||||
|
|
||||||
|
[secrets."chat/synapse/postgres_pwd"]
|
||||||
|
type = 'service_password'
|
||||||
|
service = 'matrix'
|
||||||
|
|
||||||
|
|
||||||
|
# S3 access
|
||||||
|
|
||||||
|
[secrets."chat/synapse/s3_access_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'S3 access key ID for Matrix bucket'
|
||||||
|
|
||||||
|
[secrets."chat/synapse/s3_secret_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'S3 secret access key for Matrix bucket'
|
||||||
|
|
||||||
|
|
||||||
|
# Keys & stuff
|
||||||
|
|
||||||
|
[secrets."chat/synapse/homeserver.tls.dh"]
|
||||||
|
type = 'user'
|
||||||
|
multiline = true
|
||||||
|
description = 'DH parameters for matrix ssl key? how does this work?'
|
||||||
|
|
||||||
|
[secrets."chat/synapse/homeserver.tls.crt"]
|
||||||
|
type = 'SSL_CERT'
|
||||||
|
name = 'synapse'
|
||||||
|
cert_domains = "['im.deuxfleurs.fr']"
|
||||||
|
|
||||||
|
[secrets."chat/synapse/homeserver.tls.key"]
|
||||||
|
type = 'SSL_KEY'
|
||||||
|
name = 'synapse'
|
||||||
|
|
||||||
|
[secrets."chat/synapse/homeserver.signing.key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Synapse homeserver ed25519 signing key'
|
||||||
|
|
||||||
|
[secrets."chat/synapse/registration_shared_secret"]
|
||||||
|
type = 'command'
|
||||||
|
rotate = true
|
||||||
|
command = 'head -c 32 /dev/urandom | base64'
|
||||||
|
|
||||||
|
|
||||||
|
# ----------- COTURN -----------
|
||||||
|
|
||||||
|
[secrets."chat/coturn/static-auth"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'coturn static-auth (what is this?)'
|
||||||
|
|
||||||
|
[secrets."chat/coturn/static_auth_secret_zinzdev"]
|
||||||
|
type = 'user'
|
||||||
|
description = "Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification."
|
||||||
|
|
||||||
|
|
||||||
|
# ----------- EASYBRIDGE (we will remove this one day) -----------
|
||||||
|
|
||||||
|
[service_users."easybridge"]
|
||||||
|
description = 'Easybridge service user'
|
||||||
|
password_secret = 'chat/easybridge/db_pass'
|
||||||
|
username_secret = 'chat/easybridge/db_user'
|
||||||
|
|
||||||
|
|
||||||
|
[secrets."chat/easybridge/as_token"]
|
||||||
|
type = 'command'
|
||||||
|
rotate = true
|
||||||
|
command = 'openssl rand -hex 32'
|
||||||
|
|
||||||
|
[secrets."chat/easybridge/web_session_key"]
|
||||||
|
type = 'command'
|
||||||
|
rotate = true
|
||||||
|
command = 'openssl rand -hex 32'
|
||||||
|
|
||||||
|
[secrets."chat/easybridge/hs_token"]
|
||||||
|
type = 'command'
|
||||||
|
rotate = true
|
||||||
|
command = 'openssl rand -hex 32'
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
USER coturn static-auth (what is this?)
|
|
|
@ -1 +0,0 @@
|
||||||
USER Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification.
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -hex 32
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_PASSWORD easybridge
|
|
|
@ -1 +0,0 @@
|
||||||
CONST easybridge
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -hex 32
|
|
|
@ -1,2 +0,0 @@
|
||||||
CMD openssl rand -hex 32
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -hex 32
|
|
|
@ -1 +0,0 @@
|
||||||
USER fb2mx database URL, format: postgres://username:password@hostname/dbname
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -hex 32
|
|
|
@ -1 +0,0 @@
|
||||||
USER Synapse homeserver ed25519 signing key
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_CERT synapse im.deuxfleurs.fr
|
|
|
@ -1 +0,0 @@
|
||||||
USER_LONG DH parameters for matrix ssl key? how does this work?
|
|
|
@ -1 +0,0 @@
|
||||||
SSL_KEY synapse im.deuxfleurs.fr
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_DN matrix Matrix chat server
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_PASSWORD matrix
|
|
|
@ -1 +0,0 @@
|
||||||
CONST synapse
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_PASSWORD matrix
|
|
|
@ -1 +0,0 @@
|
||||||
CONST matrix
|
|
|
@ -1 +0,0 @@
|
||||||
CMD head -c 32 /dev/urandom | base64
|
|
|
@ -1 +0,0 @@
|
||||||
USER matrix
|
|
|
@ -1 +0,0 @@
|
||||||
USER matrix
|
|
29
cluster/prod/app/plume/secrets.toml
Normal file
29
cluster/prod/app/plume/secrets.toml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
[service_user."plume"]
|
||||||
|
password_secret = "plume/pgsql_pw"
|
||||||
|
|
||||||
|
|
||||||
|
[secrets."plume/secret_key"]
|
||||||
|
type = 'command'
|
||||||
|
rotate = true
|
||||||
|
command = 'openssl rand -base64 32'
|
||||||
|
|
||||||
|
|
||||||
|
# Plume backup
|
||||||
|
|
||||||
|
[secrets."plume/backup_restic_repository"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic repository'
|
||||||
|
example = 's3:https://s3.garage.tld'
|
||||||
|
|
||||||
|
[secrets."plume/backup_restic_password"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Restic password to encrypt backups'
|
||||||
|
|
||||||
|
[secrets."plume/backup_aws_secret_access_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Backup AWS secret access key'
|
||||||
|
|
||||||
|
[secrets."plume/backup_aws_access_key_id"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Backup AWS access key ID'
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
USER Backup AWS access key ID
|
|
|
@ -1 +0,0 @@
|
||||||
USER Backup AWS secret access key
|
|
|
@ -1 +0,0 @@
|
||||||
USER Restic password to encrypt backups
|
|
|
@ -1 +0,0 @@
|
||||||
USER Restic repository, eg. s3:https://s3.garage.tld
|
|
|
@ -1 +0,0 @@
|
||||||
SERVICE_PASSWORD plume
|
|
|
@ -1 +0,0 @@
|
||||||
CMD openssl rand -base64 32
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue