From 8cee3b0043eda68d982e5359a0d009c83cbb85c4 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sun, 25 Dec 2022 22:45:05 +0100 Subject: [PATCH] Update prod secret files --- cluster/prod/app/backup/secrets.toml | 56 ++++++++++++------------ cluster/prod/app/email/secrets.toml | 16 ------- cluster/prod/app/matrix/secrets.toml | 65 +++++++++++++++------------- cluster/prod/app/plume/secrets.toml | 19 -------- cluster/prod/secretmgr.toml | 10 +++++ 5 files changed, 73 insertions(+), 93 deletions(-) diff --git a/cluster/prod/app/backup/secrets.toml b/cluster/prod/app/backup/secrets.toml index 5d2b851..91794ae 100644 --- a/cluster/prod/app/backup/secrets.toml +++ b/cluster/prod/app/backup/secrets.toml @@ -40,51 +40,53 @@ description = 'Backup AWS access key ID' # Postgresql backup -[secrets."backup/psql/aws_secret_access_key"] -type = 'user' -description = 'Minio secret key' - -[secrets."backup/psql/aws_access_key_id"] +[secrets."postgres/backup/aws_access_key_id"] type = 'user' description = 'Minio access key' -[secrets."backup/psql/crypt_public_key"] +[secrets."postgres/backup/aws_secret_access_key"] +type = 'user' +description = 'Minio secret key' + +[secrets."postgres/backup/crypt_public_key"] type = 'user' description = 'A public key to encypt backups with age' -[secrets."backup/psql/crypt_private_key"] + +# Plume backup + +[secrets."plume/backup_restic_repository"] type = 'user' -description = 'a private key to decript backups from age' +description = 'Restic repository' +example = 's3:https://s3.garage.tld' - -# SSH target config (do we still use this?) - -[secrets."backup/target_ssh_host"] +[secrets."plume/backup_restic_password"] type = 'user' -description = 'Hostname of the backup target host' +description = 'Restic password to encrypt backups' -[secrets."backup/target_ssh_port"] +[secrets."plume/backup_aws_secret_access_key"] type = 'user' -description = 'SSH port number to connect to the target host' +description = 'Backup AWS secret access key' -[secrets."backup/target_ssh_dir"] +[secrets."plume/backup_aws_access_key_id"] type = 'user' -description = 'Directory where to store backups on target host' +description = 'Backup AWS access key ID' -[secrets."backup/target_ssh_user"] + +# Dovecot backup + +[secrets."email/dovecot/backup_restic_password"] type = 'user' -description = 'SSH username to log in as on the target host' +description = 'Restic backup password to encrypt data' -[secrets."backup/target_ssh_fingerprint"] +[secrets."email/dovecot/backup_aws_secret_access_key"] type = 'user' -description = 'SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)' +description = 'AWS Secret Access key' -[secrets."backup/id_ed25519"] +[secrets."email/dovecot/backup_restic_repository"] type = 'user' -multiline = true -description = 'Private ed25519 key of the container doing the backup' +description = 'Restic Repository URL, check op_guide/backup-minio to see the format' -[secrets."backup/id_ed25519.pub"] +[secrets."email/dovecot/backup_aws_access_key_id"] type = 'user' -description = 'Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)' - +description = 'AWS Acces Key ID' diff --git a/cluster/prod/app/email/secrets.toml b/cluster/prod/app/email/secrets.toml index 4efee49..95df626 100644 --- a/cluster/prod/app/email/secrets.toml +++ b/cluster/prod/app/email/secrets.toml @@ -30,22 +30,6 @@ name = 'dovecot' cert_domains = "['deuxfleurs.fr']" -[secrets."email/dovecot/backup_restic_password"] -type = 'user' -description = 'Restic backup password to encrypt data' - -[secrets."email/dovecot/backup_aws_secret_access_key"] -type = 'user' -description = 'AWS Secret Access key' - -[secrets."email/dovecot/backup_restic_repository"] -type = 'user' -description = 'Restic Repository URL, check op_guide/backup-minio to see the format' - -[secrets."email/dovecot/backup_aws_access_key_id"] -type = 'user' -description = 'AWS Acces Key ID' - # ---- SOGO ---- [service_users."sogo"] diff --git a/cluster/prod/app/matrix/secrets.toml b/cluster/prod/app/matrix/secrets.toml index 6e4f027..98b2ddb 100644 --- a/cluster/prod/app/matrix/secrets.toml +++ b/cluster/prod/app/matrix/secrets.toml @@ -7,8 +7,9 @@ password_secret = 'chat/synapse/ldap_bindpw' # Postgresql DB [secrets."chat/synapse/postgres_db"] -type = 'constant' -value = 'synapse' +type = 'user' +description = 'Synapse PostgrSQL database name' +example = 'synapse' [secrets."chat/synapse/postgres_user"] type = 'service_username' @@ -56,37 +57,39 @@ rotate = true command = 'head -c 32 /dev/urandom | base64' +# ===== OLD STUFF, KEPT FOR REFERENCE ==== + # ----------- COTURN ----------- -[secrets."chat/coturn/static-auth"] -type = 'user' -description = 'coturn static-auth (what is this?)' - -[secrets."chat/coturn/static_auth_secret_zinzdev"] -type = 'user' -description = "Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification." +# [secrets."chat/coturn/static-auth"] +# type = 'user' +# description = 'coturn static-auth (what is this?)' +# +# [secrets."chat/coturn/static_auth_secret_zinzdev"] +# type = 'user' +# description = "Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification." -# ----------- EASYBRIDGE (we will remove this one day) ----------- - -[service_users."easybridge"] -description = 'Easybridge service user' -password_secret = 'chat/easybridge/db_pass' -username_secret = 'chat/easybridge/db_user' - - -[secrets."chat/easybridge/as_token"] -type = 'command' -rotate = true -command = 'openssl rand -hex 32' - -[secrets."chat/easybridge/web_session_key"] -type = 'command' -rotate = true -command = 'openssl rand -hex 32' - -[secrets."chat/easybridge/hs_token"] -type = 'command' -rotate = true -command = 'openssl rand -hex 32' +# ----------- EASYBRIDGE ----------- +# [service_users."easybridge"] +# description = 'Easybridge service user' +# password_secret = 'chat/easybridge/db_pass' +# username_secret = 'chat/easybridge/db_user' +# +# +# [secrets."chat/easybridge/as_token"] +# type = 'command' +# rotate = true +# command = 'openssl rand -hex 32' +# +# [secrets."chat/easybridge/web_session_key"] +# type = 'command' +# rotate = true +# command = 'openssl rand -hex 32' +# +# [secrets."chat/easybridge/hs_token"] +# type = 'command' +# rotate = true +# command = 'openssl rand -hex 32' +# diff --git a/cluster/prod/app/plume/secrets.toml b/cluster/prod/app/plume/secrets.toml index a445979..4d68a5c 100644 --- a/cluster/prod/app/plume/secrets.toml +++ b/cluster/prod/app/plume/secrets.toml @@ -8,22 +8,3 @@ rotate = true command = 'openssl rand -base64 32' -# Plume backup - -[secrets."plume/backup_restic_repository"] -type = 'user' -description = 'Restic repository' -example = 's3:https://s3.garage.tld' - -[secrets."plume/backup_restic_password"] -type = 'user' -description = 'Restic password to encrypt backups' - -[secrets."plume/backup_aws_secret_access_key"] -type = 'user' -description = 'Backup AWS secret access key' - -[secrets."plume/backup_aws_access_key_id"] -type = 'user' -description = 'Backup AWS access key ID' - diff --git a/cluster/prod/secretmgr.toml b/cluster/prod/secretmgr.toml index 88058e5..ea540e5 100644 --- a/cluster/prod/secretmgr.toml +++ b/cluster/prod/secretmgr.toml @@ -7,3 +7,13 @@ admin_dn = "cn=admin,dc=deuxfleurs,dc=org" [user_values] "directory/ldap_base_dn" = "dc=deuxfleurs,dc=fr" "directory/guichet/web_hostname" = "guichet.deuxfleurs.fr" +"directory/guichet/mail_domain" = "deuxfleurs.fr" +"directory/guichet/s3_bucket" = "bottin-pictures" +"directory/guichet/s3_endpoint" = "garage.deuxfleurs.fr" +"directory/guichet/s3_region" = "garage" +# TODO: fix smtp server, use deuxfleurs' smtp + +"drone-ci/s3_db_bucket" = "drone-db" +"drone-ci/s3_storage_bucket" = "drone-storage" + +"chat/synapse/postgres_db" = "synapse2"