Merge pull request 'updated version of secretmgr' (#5) from new-secretmgr into main

Reviewed-on: Deuxfleurs/nixcfg#5
This commit is contained in:
Alex 2023-01-01 18:47:34 +00:00
commit 3847c08181
151 changed files with 1147 additions and 568 deletions

View file

@ -0,0 +1,92 @@
# Cryptpad backup
[secrets."backup/cryptpad/backup_restic_password"]
type = 'user'
description = 'Restic password to encrypt backups'
[secrets."backup/cryptpad/backup_aws_secret_access_key"]
type = 'user'
description = 'Backup AWS secret access key'
[secrets."backup/cryptpad/backup_restic_repository"]
type = 'user'
description = 'Restic repository'
example = 's3:https://s3.garage.tld'
[secrets."backup/cryptpad/backup_aws_access_key_id"]
type = 'user'
description = 'Backup AWS access key ID'
# Consul backup
[secrets."backup/consul/backup_restic_password"]
type = 'user'
description = 'Restic password to encrypt backups'
[secrets."backup/consul/backup_aws_secret_access_key"]
type = 'user'
description = 'Backup AWS secret access key'
[secrets."backup/consul/backup_restic_repository"]
type = 'user'
description = 'Restic repository'
example = 's3:https://s3.garage.tld'
[secrets."backup/consul/backup_aws_access_key_id"]
type = 'user'
description = 'Backup AWS access key ID'
# Postgresql backup
[secrets."postgres/backup/aws_access_key_id"]
type = 'user'
description = 'Minio access key'
[secrets."postgres/backup/aws_secret_access_key"]
type = 'user'
description = 'Minio secret key'
[secrets."postgres/backup/crypt_public_key"]
type = 'user'
description = 'A public key to encypt backups with age'
# Plume backup
[secrets."plume/backup_restic_repository"]
type = 'user'
description = 'Restic repository'
example = 's3:https://s3.garage.tld'
[secrets."plume/backup_restic_password"]
type = 'user'
description = 'Restic password to encrypt backups'
[secrets."plume/backup_aws_secret_access_key"]
type = 'user'
description = 'Backup AWS secret access key'
[secrets."plume/backup_aws_access_key_id"]
type = 'user'
description = 'Backup AWS access key ID'
# Dovecot backup
[secrets."email/dovecot/backup_restic_password"]
type = 'user'
description = 'Restic backup password to encrypt data'
[secrets."email/dovecot/backup_aws_secret_access_key"]
type = 'user'
description = 'AWS Secret Access key'
[secrets."email/dovecot/backup_restic_repository"]
type = 'user'
description = 'Restic Repository URL, check op_guide/backup-minio to see the format'
[secrets."email/dovecot/backup_aws_access_key_id"]
type = 'user'
description = 'AWS Acces Key ID'

View file

@ -1 +0,0 @@
USER Backup AWS access key ID

View file

@ -1 +0,0 @@
USER Backup AWS secret access key

View file

@ -1 +0,0 @@
USER Restic password to encrypt backups

View file

@ -1 +0,0 @@
USER Restic repository, eg. s3:https://s3.garage.tld

View file

@ -1 +0,0 @@
USER Backup AWS access key ID

View file

@ -1 +0,0 @@
USER Backup AWS secret access key

View file

@ -1 +0,0 @@
USER Restic password to encrypt backups

View file

@ -1 +0,0 @@
USER Restic repository, eg. s3:https://s3.garage.tld

View file

@ -1 +0,0 @@
USER_LONG Private ed25519 key of the container doing the backup

View file

@ -1 +0,0 @@
USER Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)

View file

@ -1 +0,0 @@
USER Minio access key

View file

@ -1 +0,0 @@
USER Minio secret key

View file

@ -1 +0,0 @@
USER a private key to decript backups from age

View file

@ -1 +0,0 @@
USER A public key to encypt backups with age

View file

@ -1 +0,0 @@
USER Directory where to store backups on target host

View file

@ -1 +0,0 @@
USER SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)

View file

@ -1 +0,0 @@
USER Hostname of the backup target host

View file

@ -1 +0,0 @@
USER SSH port number to connect to the target host

View file

@ -1 +0,0 @@
USER SSH username to log in as on the target host

View file

@ -0,0 +1,5 @@
[secrets."directory/ldap_base_dn"]
type = 'user'
description = 'LDAP base DN for everything'
example = 'dc=example,dc=com'

View file

@ -1 +0,0 @@
USER LDAP base DN for everything (e.g. dc=example,dc=com)

View file

@ -0,0 +1,48 @@
# Drone's secrets
[secrets."drone-ci/rpc_secret"]
type = 'command'
command = 'openssl rand -hex 16'
# don't rotate, it would break all runners
[secrets."drone-ci/cookie_secret"]
type = 'command'
rotate = true
command = 'openssl rand -hex 16'
[secrets."drone-ci/db_enc_secret"]
type = 'command'
command = 'openssl rand -hex 16'
# don't rotate, it is used to encrypt data which we would lose if we change this
# Oauth config for gitea
[secrets."drone-ci/oauth_client_secret"]
type = 'user'
description = 'OAuth client secret (for gitea)'
[secrets."drone-ci/oauth_client_id"]
type = 'user'
description = 'OAuth client ID (on Gitea)'
# S3 config for Git LFS storage
[secrets."drone-ci/s3_db_bucket"]
type = 'constant'
value = 'drone-db'
[secrets."drone-ci/s3_sk"]
type = 'user'
description = 'S3 (garage) secret key for Drone'
[secrets."drone-ci/s3_ak"]
type = 'user'
description = 'S3 (garage) access key for Drone'
[secrets."drone-ci/s3_storage_bucket"]
type = 'constant'
value = 'drone-storage'

View file

@ -1 +0,0 @@
CMD openssl rand -hex 16

View file

@ -1 +0,0 @@
CMD_ONCE openssl rand -hex 16

View file

@ -1 +0,0 @@
USER OAuth client ID (on Gitea)

View file

@ -1 +0,0 @@
USER OAuth client secret (for gitea)

View file

@ -1 +0,0 @@
CMD openssl rand -hex 16

View file

@ -1 +0,0 @@
USER S3 (garage) access key for Drone

View file

@ -1 +0,0 @@
CONST drone-db

View file

@ -1 +0,0 @@
USER S3 (garage) secret key for Drone

View file

@ -1 +0,0 @@
CONST drone-storage

View file

@ -1,13 +0,0 @@
#!/bin/bash
TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr"
openssl req \
-new \
-newkey rsa:4096 \
-days 3650 \
-nodes \
-x509 \
-subj ${TLSINFO} \
-keyout dovecot.key \
-out dovecot.crt

View file

@ -1,13 +0,0 @@
#!/bin/bash
TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr"
openssl req \
-new \
-newkey rsa:4096 \
-days 3650 \
-nodes \
-x509 \
-subj ${TLSINFO} \
-keyout postfix.key \
-out postfix.crt

View file

@ -150,13 +150,11 @@ job "email" {
# ----- secrets ------
template {
# data = "{{ key \"secrets/email/dovecot/dovecot.crt\" }}"
data = "{{ with $d := key \"tricot/certs/imap.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
destination = "secrets/ssl/certs/dovecot.crt"
perms = "400"
}
template {
# data = "{{ key \"secrets/email/dovecot/dovecot.key\" }}"
data = "{{ with $d := key \"tricot/certs/imap.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
destination = "secrets/ssl/private/dovecot.key"
perms = "400"
@ -381,14 +379,12 @@ job "email" {
# --- secrets ---
template {
# data = "{{ key \"secrets/email/postfix/postfix.crt\" }}"
data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
destination = "secrets/ssl/postfix.crt"
perms = "400"
}
template {
# data = "{{ key \"secrets/email/postfix/postfix.key\" }}"
data = "{{ with $d := key \"tricot/certs/smtp.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
destination = "secrets/ssl/postfix.key"
perms = "400"

View file

@ -0,0 +1,23 @@
# ---- POSTFIX ----
[secrets."email/dkim/smtp.private"]
type = 'RSA_PRIVATE_KEY'
name = 'dkim'
# ---- DOVECOT ----
[service_users."dovecot"]
dn_secret = "email/dovecot/ldap_binddn"
password_secret = "email/dovecot/ldap_bindpwd"
# ---- SOGO ----
[service_users."sogo"]
dn_secret = "email/sogo/ldap_binddn"
password_secret = "email/sogo/ldap_bindpw"
[secrets."email/sogo/postgre_auth"]
type = 'user'
description = 'SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)'

View file

@ -1 +0,0 @@
RSA_PRIVATE_KEY dkim

View file

@ -1 +0,0 @@
USER AWS Acces Key ID

View file

@ -1 +0,0 @@
USER AWS Secret Access key

View file

@ -1 +0,0 @@
USER Restic backup password to encrypt data

View file

@ -1 +0,0 @@
USER Restic Repository URL, check op_guide/backup-minio to see the format

View file

@ -1 +0,0 @@
SSL_CERT dovecot deuxfleurs.fr

View file

@ -1 +0,0 @@
SSL_KEY dovecot

View file

@ -1 +0,0 @@
SERVICE_DN dovecot Dovecot IMAP server

View file

@ -1 +0,0 @@
SERVICE_PASSWORD dovecot

View file

@ -1 +0,0 @@
SSL_CERT postfix deuxfleurs.fr

View file

@ -1 +0,0 @@
SSL_KEY postfix

View file

@ -1 +0,0 @@
SERVICE_DN sogo SoGo email frontend

View file

@ -1 +0,0 @@
SERVICE_PASSWORD sogo

View file

@ -1 +0,0 @@
USER SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)

View file

@ -0,0 +1,14 @@
[secrets."garage/rpc_secret"]
type = 'command'
command = 'openssl rand -hex 32'
# can't auto-rotate, because we still have some nodes outside of Nomad
[secrets."garage/admin_token"]
type = 'command'
command = 'openssl rand -hex 32'
rotate = true
[secrets."garage/metrics_token"]
type = 'command'
command = 'openssl rand -hex 32'
rotate = true

View file

@ -1 +0,0 @@
CMD_ONCE openssl rand -hex 32

View file

@ -1 +0,0 @@
CMD_ONCE openssl rand -hex 32

View file

@ -1 +0,0 @@
CMD_ONCE openssl rand -hex 32

View file

@ -0,0 +1,51 @@
# General configuration
[secrets."directory/guichet/web_hostname"]
type = 'user'
description = 'Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)'
# Mailing configuration
[secrets."directory/guichet/smtp_user"]
type = 'user'
description = 'SMTP username'
[secrets."directory/guichet/smtp_pass"]
type = 'user'
description = 'SMTP password'
[secrets."directory/guichet/smtp_server"]
type = 'user'
description = 'SMTP server address (hostname:port)'
[secrets."directory/guichet/mail_from"]
type = 'user'
description = 'E-mail address from which to send welcome emails to new users'
[secrets."directory/guichet/mail_domain"]
type = 'user'
description = 'E-mail domain for new users (e.g. example.com)'
# S3 configuration
[secrets."directory/guichet/s3_endpoint"]
type = 'user'
description = 'S3 endpoint URL'
[secrets."directory/guichet/s3_bucket"]
type = 'user'
description = 'S3 bucket in which to store data files (such as profile pictures)'
[secrets."directory/guichet/s3_region"]
type = 'user'
description = 'S3 region'
[secrets."directory/guichet/s3_access_key"]
type = 'user'
description = 'Garage access key for Guichet profile pictures'
[secrets."directory/guichet/s3_secret_key"]
type = 'user'
description = 'Garage secret key for Guichet profile pictures'

View file

@ -1 +0,0 @@
USER E-mail domain for new users (e.g. example.com)

View file

@ -1 +0,0 @@
USER E-mail address from which to send welcome emails to new users

View file

@ -1 +0,0 @@
USER Garage access key for Guichet profile pictures

View file

@ -1 +0,0 @@
USER S3 bucket in which to store data files (such as profile pictures)

View file

@ -1 +0,0 @@
USER S3 endpoint URL

View file

@ -1 +0,0 @@
USER S3 region

View file

@ -1 +0,0 @@
USER Garage secret key for Guichet profile pictures

View file

@ -1 +0,0 @@
USER SMTP password

View file

@ -1 +0,0 @@
USER SMTP server address (hostname:port)

View file

@ -1 +0,0 @@
USER SMTP username

View file

@ -1 +0,0 @@
USER Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)

View file

@ -0,0 +1,36 @@
# Jitsi secrets
[secrets."jitsi/jvb_pass"]
type = 'command'
rotate = true
command = 'openssl rand -base64 24'
[secrets."jitsi/jicofo_pass"]
type = 'command'
rotate = true
command = 'openssl rand -base64 24'
# SSL: Jitsi
[secrets."jitsi/jitsi.crt"]
type = 'SSL_CERT'
name = 'jitsi'
cert_domains = "['jitsi']"
[secrets."jitsi/jitsi.key"]
type = 'SSL_KEY'
name = 'jitsi'
# SSL: Jitsi auth
[secrets."jitsi/auth.jitsi.crt"]
type = 'SSL_CERT'
name = 'jitsi_auth'
cert_domains = "['auth.jitsi']"
[secrets."jitsi/auth.jitsi.key"]
type = 'SSL_KEY'
name = 'jitsi_auth'

View file

@ -1 +0,0 @@
SSL_CERT jitsi_auth auth.jitsi

View file

@ -1 +0,0 @@
SSL_KEY jitsi_auth auth.jitsi

View file

@ -1 +0,0 @@
CMD openssl rand -base64 24

View file

@ -1 +0,0 @@
SSL_CERT jitsi jitsi

View file

@ -1 +0,0 @@
SSL_KEY jitsi jitsi

View file

@ -1 +0,0 @@
CMD openssl rand -base64 24

View file

@ -1,22 +1,6 @@
# vim:ft=yaml
server_name: "deuxfleurs.fr"
# PEM encoded X509 certificate for TLS.
# You can replace the self-signed certificate that synapse
# autogenerates on launch with your own SSL certificate + key pair
# if you like. Any required intermediary certificates can be
# appended after the primary certificate in hierarchical order.
tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt"
# PEM encoded private key for TLS
tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key"
# PEM dh parameters for ephemeral keys
tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh"
# Don't bind to the https port
no_tls: True
## Server ##

View file

@ -54,21 +54,6 @@ job "matrix" {
}
# --- secrets ---
template {
data = "{{ key \"secrets/chat/synapse/homeserver.tls.crt\" }}"
destination = "secrets/conf/homeserver.tls.crt"
}
template {
data = "{{ key \"secrets/chat/synapse/homeserver.tls.dh\" }}"
destination = "secrets/conf/homeserver.tls.dh"
}
template {
data = "{{ key \"secrets/chat/synapse/homeserver.tls.key\" }}"
destination = "secrets/conf/homeserver.tls.key"
}
template {
data = "{{ key \"secrets/chat/synapse/homeserver.signing.key\" }}"
destination = "secrets/conf/homeserver.signing.key"

View file

@ -0,0 +1,81 @@
[service_users."matrix"]
description = 'Matrix service user'
dn_secret = 'chat/synapse/ldap_binddn'
password_secret = 'chat/synapse/ldap_bindpw'
# Postgresql DB
[secrets."chat/synapse/postgres_db"]
type = 'user'
description = 'Synapse PostgrSQL database name'
example = 'synapse'
[secrets."chat/synapse/postgres_user"]
type = 'service_username'
service = 'matrix'
[secrets."chat/synapse/postgres_pwd"]
type = 'service_password'
service = 'matrix'
# S3 access
[secrets."chat/synapse/s3_access_key"]
type = 'user'
description = 'S3 access key ID for Matrix bucket'
[secrets."chat/synapse/s3_secret_key"]
type = 'user'
description = 'S3 secret access key for Matrix bucket'
# Keys & stuff
[secrets."chat/synapse/homeserver.signing.key"]
type = 'user'
description = 'Synapse homeserver ed25519 signing key'
[secrets."chat/synapse/registration_shared_secret"]
type = 'command'
rotate = true
command = 'head -c 32 /dev/urandom | base64'
# ===== OLD STUFF, KEPT FOR REFERENCE ====
# ----------- COTURN -----------
# [secrets."chat/coturn/static-auth"]
# type = 'user'
# description = 'coturn static-auth (what is this?)'
#
# [secrets."chat/coturn/static_auth_secret_zinzdev"]
# type = 'user'
# description = "Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification."
# ----------- EASYBRIDGE -----------
# [service_users."easybridge"]
# description = 'Easybridge service user'
# password_secret = 'chat/easybridge/db_pass'
# username_secret = 'chat/easybridge/db_user'
#
#
# [secrets."chat/easybridge/as_token"]
# type = 'command'
# rotate = true
# command = 'openssl rand -hex 32'
#
# [secrets."chat/easybridge/web_session_key"]
# type = 'command'
# rotate = true
# command = 'openssl rand -hex 32'
#
# [secrets."chat/easybridge/hs_token"]
# type = 'command'
# rotate = true
# command = 'openssl rand -hex 32'
#

View file

@ -1 +0,0 @@
USER coturn static-auth (what is this?)

View file

@ -1 +0,0 @@
USER Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification.

View file

@ -1 +0,0 @@
CMD openssl rand -hex 32

View file

@ -1 +0,0 @@
SERVICE_PASSWORD easybridge

View file

@ -1 +0,0 @@
CONST easybridge

View file

@ -1 +0,0 @@
CMD openssl rand -hex 32

View file

@ -1,2 +0,0 @@
CMD openssl rand -hex 32

View file

@ -1 +0,0 @@
CMD openssl rand -hex 32

View file

@ -1 +0,0 @@
USER fb2mx database URL, format: postgres://username:password@hostname/dbname

View file

@ -1 +0,0 @@
CMD openssl rand -hex 32

View file

@ -1 +0,0 @@
USER Synapse homeserver ed25519 signing key

View file

@ -1 +0,0 @@
SSL_CERT synapse im.deuxfleurs.fr

View file

@ -1 +0,0 @@
USER_LONG DH parameters for matrix ssl key? how does this work?

View file

@ -1 +0,0 @@
SSL_KEY synapse im.deuxfleurs.fr

View file

@ -1 +0,0 @@
SERVICE_DN matrix Matrix chat server

View file

@ -1 +0,0 @@
SERVICE_PASSWORD matrix

View file

@ -1 +0,0 @@
CONST synapse

View file

@ -1 +0,0 @@
SERVICE_PASSWORD matrix

View file

@ -1 +0,0 @@
CONST matrix

View file

@ -1 +0,0 @@
CMD head -c 32 /dev/urandom | base64

View file

@ -1 +0,0 @@
USER matrix

View file

@ -1 +0,0 @@
USER matrix

View file

@ -0,0 +1,10 @@
[service_user."plume"]
password_secret = "plume/pgsql_pw"
[secrets."plume/secret_key"]
type = 'command'
rotate = true
command = 'openssl rand -base64 32'

View file

@ -1 +0,0 @@
USER Backup AWS access key ID

Some files were not shown because too many files have changed in this diff Show more