Update prod secret files
This commit is contained in:
parent
87bb031ed0
commit
8cee3b0043
5 changed files with 73 additions and 93 deletions
|
@ -40,51 +40,53 @@ description = 'Backup AWS access key ID'
|
||||||
|
|
||||||
# Postgresql backup
|
# Postgresql backup
|
||||||
|
|
||||||
[secrets."backup/psql/aws_secret_access_key"]
|
[secrets."postgres/backup/aws_access_key_id"]
|
||||||
type = 'user'
|
|
||||||
description = 'Minio secret key'
|
|
||||||
|
|
||||||
[secrets."backup/psql/aws_access_key_id"]
|
|
||||||
type = 'user'
|
type = 'user'
|
||||||
description = 'Minio access key'
|
description = 'Minio access key'
|
||||||
|
|
||||||
[secrets."backup/psql/crypt_public_key"]
|
[secrets."postgres/backup/aws_secret_access_key"]
|
||||||
|
type = 'user'
|
||||||
|
description = 'Minio secret key'
|
||||||
|
|
||||||
|
[secrets."postgres/backup/crypt_public_key"]
|
||||||
type = 'user'
|
type = 'user'
|
||||||
description = 'A public key to encypt backups with age'
|
description = 'A public key to encypt backups with age'
|
||||||
|
|
||||||
[secrets."backup/psql/crypt_private_key"]
|
|
||||||
|
# Plume backup
|
||||||
|
|
||||||
|
[secrets."plume/backup_restic_repository"]
|
||||||
type = 'user'
|
type = 'user'
|
||||||
description = 'a private key to decript backups from age'
|
description = 'Restic repository'
|
||||||
|
example = 's3:https://s3.garage.tld'
|
||||||
|
|
||||||
|
[secrets."plume/backup_restic_password"]
|
||||||
# SSH target config (do we still use this?)
|
|
||||||
|
|
||||||
[secrets."backup/target_ssh_host"]
|
|
||||||
type = 'user'
|
type = 'user'
|
||||||
description = 'Hostname of the backup target host'
|
description = 'Restic password to encrypt backups'
|
||||||
|
|
||||||
[secrets."backup/target_ssh_port"]
|
[secrets."plume/backup_aws_secret_access_key"]
|
||||||
type = 'user'
|
type = 'user'
|
||||||
description = 'SSH port number to connect to the target host'
|
description = 'Backup AWS secret access key'
|
||||||
|
|
||||||
[secrets."backup/target_ssh_dir"]
|
[secrets."plume/backup_aws_access_key_id"]
|
||||||
type = 'user'
|
type = 'user'
|
||||||
description = 'Directory where to store backups on target host'
|
description = 'Backup AWS access key ID'
|
||||||
|
|
||||||
[secrets."backup/target_ssh_user"]
|
|
||||||
|
# Dovecot backup
|
||||||
|
|
||||||
|
[secrets."email/dovecot/backup_restic_password"]
|
||||||
type = 'user'
|
type = 'user'
|
||||||
description = 'SSH username to log in as on the target host'
|
description = 'Restic backup password to encrypt data'
|
||||||
|
|
||||||
[secrets."backup/target_ssh_fingerprint"]
|
[secrets."email/dovecot/backup_aws_secret_access_key"]
|
||||||
type = 'user'
|
type = 'user'
|
||||||
description = 'SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)'
|
description = 'AWS Secret Access key'
|
||||||
|
|
||||||
[secrets."backup/id_ed25519"]
|
[secrets."email/dovecot/backup_restic_repository"]
|
||||||
type = 'user'
|
type = 'user'
|
||||||
multiline = true
|
description = 'Restic Repository URL, check op_guide/backup-minio to see the format'
|
||||||
description = 'Private ed25519 key of the container doing the backup'
|
|
||||||
|
|
||||||
[secrets."backup/id_ed25519.pub"]
|
[secrets."email/dovecot/backup_aws_access_key_id"]
|
||||||
type = 'user'
|
type = 'user'
|
||||||
description = 'Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)'
|
description = 'AWS Acces Key ID'
|
||||||
|
|
||||||
|
|
|
@ -30,22 +30,6 @@ name = 'dovecot'
|
||||||
cert_domains = "['deuxfleurs.fr']"
|
cert_domains = "['deuxfleurs.fr']"
|
||||||
|
|
||||||
|
|
||||||
[secrets."email/dovecot/backup_restic_password"]
|
|
||||||
type = 'user'
|
|
||||||
description = 'Restic backup password to encrypt data'
|
|
||||||
|
|
||||||
[secrets."email/dovecot/backup_aws_secret_access_key"]
|
|
||||||
type = 'user'
|
|
||||||
description = 'AWS Secret Access key'
|
|
||||||
|
|
||||||
[secrets."email/dovecot/backup_restic_repository"]
|
|
||||||
type = 'user'
|
|
||||||
description = 'Restic Repository URL, check op_guide/backup-minio to see the format'
|
|
||||||
|
|
||||||
[secrets."email/dovecot/backup_aws_access_key_id"]
|
|
||||||
type = 'user'
|
|
||||||
description = 'AWS Acces Key ID'
|
|
||||||
|
|
||||||
# ---- SOGO ----
|
# ---- SOGO ----
|
||||||
|
|
||||||
[service_users."sogo"]
|
[service_users."sogo"]
|
||||||
|
|
|
@ -7,8 +7,9 @@ password_secret = 'chat/synapse/ldap_bindpw'
|
||||||
# Postgresql DB
|
# Postgresql DB
|
||||||
|
|
||||||
[secrets."chat/synapse/postgres_db"]
|
[secrets."chat/synapse/postgres_db"]
|
||||||
type = 'constant'
|
type = 'user'
|
||||||
value = 'synapse'
|
description = 'Synapse PostgrSQL database name'
|
||||||
|
example = 'synapse'
|
||||||
|
|
||||||
[secrets."chat/synapse/postgres_user"]
|
[secrets."chat/synapse/postgres_user"]
|
||||||
type = 'service_username'
|
type = 'service_username'
|
||||||
|
@ -56,37 +57,39 @@ rotate = true
|
||||||
command = 'head -c 32 /dev/urandom | base64'
|
command = 'head -c 32 /dev/urandom | base64'
|
||||||
|
|
||||||
|
|
||||||
|
# ===== OLD STUFF, KEPT FOR REFERENCE ====
|
||||||
|
|
||||||
# ----------- COTURN -----------
|
# ----------- COTURN -----------
|
||||||
|
|
||||||
[secrets."chat/coturn/static-auth"]
|
# [secrets."chat/coturn/static-auth"]
|
||||||
type = 'user'
|
# type = 'user'
|
||||||
description = 'coturn static-auth (what is this?)'
|
# description = 'coturn static-auth (what is this?)'
|
||||||
|
#
|
||||||
[secrets."chat/coturn/static_auth_secret_zinzdev"]
|
# [secrets."chat/coturn/static_auth_secret_zinzdev"]
|
||||||
type = 'user'
|
# type = 'user'
|
||||||
description = "Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification."
|
# description = "Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification."
|
||||||
|
|
||||||
|
|
||||||
# ----------- EASYBRIDGE (we will remove this one day) -----------
|
# ----------- EASYBRIDGE -----------
|
||||||
|
|
||||||
[service_users."easybridge"]
|
|
||||||
description = 'Easybridge service user'
|
|
||||||
password_secret = 'chat/easybridge/db_pass'
|
|
||||||
username_secret = 'chat/easybridge/db_user'
|
|
||||||
|
|
||||||
|
|
||||||
[secrets."chat/easybridge/as_token"]
|
|
||||||
type = 'command'
|
|
||||||
rotate = true
|
|
||||||
command = 'openssl rand -hex 32'
|
|
||||||
|
|
||||||
[secrets."chat/easybridge/web_session_key"]
|
|
||||||
type = 'command'
|
|
||||||
rotate = true
|
|
||||||
command = 'openssl rand -hex 32'
|
|
||||||
|
|
||||||
[secrets."chat/easybridge/hs_token"]
|
|
||||||
type = 'command'
|
|
||||||
rotate = true
|
|
||||||
command = 'openssl rand -hex 32'
|
|
||||||
|
|
||||||
|
# [service_users."easybridge"]
|
||||||
|
# description = 'Easybridge service user'
|
||||||
|
# password_secret = 'chat/easybridge/db_pass'
|
||||||
|
# username_secret = 'chat/easybridge/db_user'
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# [secrets."chat/easybridge/as_token"]
|
||||||
|
# type = 'command'
|
||||||
|
# rotate = true
|
||||||
|
# command = 'openssl rand -hex 32'
|
||||||
|
#
|
||||||
|
# [secrets."chat/easybridge/web_session_key"]
|
||||||
|
# type = 'command'
|
||||||
|
# rotate = true
|
||||||
|
# command = 'openssl rand -hex 32'
|
||||||
|
#
|
||||||
|
# [secrets."chat/easybridge/hs_token"]
|
||||||
|
# type = 'command'
|
||||||
|
# rotate = true
|
||||||
|
# command = 'openssl rand -hex 32'
|
||||||
|
#
|
||||||
|
|
|
@ -8,22 +8,3 @@ rotate = true
|
||||||
command = 'openssl rand -base64 32'
|
command = 'openssl rand -base64 32'
|
||||||
|
|
||||||
|
|
||||||
# Plume backup
|
|
||||||
|
|
||||||
[secrets."plume/backup_restic_repository"]
|
|
||||||
type = 'user'
|
|
||||||
description = 'Restic repository'
|
|
||||||
example = 's3:https://s3.garage.tld'
|
|
||||||
|
|
||||||
[secrets."plume/backup_restic_password"]
|
|
||||||
type = 'user'
|
|
||||||
description = 'Restic password to encrypt backups'
|
|
||||||
|
|
||||||
[secrets."plume/backup_aws_secret_access_key"]
|
|
||||||
type = 'user'
|
|
||||||
description = 'Backup AWS secret access key'
|
|
||||||
|
|
||||||
[secrets."plume/backup_aws_access_key_id"]
|
|
||||||
type = 'user'
|
|
||||||
description = 'Backup AWS access key ID'
|
|
||||||
|
|
||||||
|
|
|
@ -7,3 +7,13 @@ admin_dn = "cn=admin,dc=deuxfleurs,dc=org"
|
||||||
[user_values]
|
[user_values]
|
||||||
"directory/ldap_base_dn" = "dc=deuxfleurs,dc=fr"
|
"directory/ldap_base_dn" = "dc=deuxfleurs,dc=fr"
|
||||||
"directory/guichet/web_hostname" = "guichet.deuxfleurs.fr"
|
"directory/guichet/web_hostname" = "guichet.deuxfleurs.fr"
|
||||||
|
"directory/guichet/mail_domain" = "deuxfleurs.fr"
|
||||||
|
"directory/guichet/s3_bucket" = "bottin-pictures"
|
||||||
|
"directory/guichet/s3_endpoint" = "garage.deuxfleurs.fr"
|
||||||
|
"directory/guichet/s3_region" = "garage"
|
||||||
|
# TODO: fix smtp server, use deuxfleurs' smtp
|
||||||
|
|
||||||
|
"drone-ci/s3_db_bucket" = "drone-db"
|
||||||
|
"drone-ci/s3_storage_bucket" = "drone-storage"
|
||||||
|
|
||||||
|
"chat/synapse/postgres_db" = "synapse2"
|
||||||
|
|
Loading…
Reference in a new issue