forked from Deuxfleurs/infrastructure
Document secrets and add stub utility to manage them
This commit is contained in:
parent
c74dc92feb
commit
d4d0b100ad
79 changed files with 81 additions and 12 deletions
11
app/.gitignore
vendored
11
app/.gitignore
vendored
|
@ -1,11 +0,0 @@
|
|||
# Blacklist everything cleverly
|
||||
*/secrets/*
|
||||
!*/secrets/*/
|
||||
|
||||
# Whitelist some patterns
|
||||
!*.sample
|
||||
!*.gen
|
||||
!*.sh
|
||||
!.gitignore
|
||||
|
||||
# Whitelist specific files
|
1
app/email/secrets/email/dkim/smtp.private
Normal file
1
app/email/secrets/email/dkim/smtp.private
Normal file
|
@ -0,0 +1 @@
|
|||
RSA_PRIVATE_KEY dkim
|
1
app/email/secrets/email/dovecot/dovecot.crt
Normal file
1
app/email/secrets/email/dovecot/dovecot.crt
Normal file
|
@ -0,0 +1 @@
|
|||
SSL_CERT dovecot deuxfleurs.fr
|
1
app/email/secrets/email/dovecot/dovecot.key
Normal file
1
app/email/secrets/email/dovecot/dovecot.key
Normal file
|
@ -0,0 +1 @@
|
|||
SSL_KEY dovecot
|
1
app/email/secrets/email/dovecot/ldap_binddn
Normal file
1
app/email/secrets/email/dovecot/ldap_binddn
Normal file
|
@ -0,0 +1 @@
|
|||
SERVICE_DN dovecot Dovecot IMAP server
|
1
app/email/secrets/email/dovecot/ldap_bindpwd
Normal file
1
app/email/secrets/email/dovecot/ldap_bindpwd
Normal file
|
@ -0,0 +1 @@
|
|||
SERVICE_PASSWORD dovecot
|
1
app/email/secrets/email/postfix/postfix.crt
Normal file
1
app/email/secrets/email/postfix/postfix.crt
Normal file
|
@ -0,0 +1 @@
|
|||
SSL_CERT postfix deuxfleurs.fr
|
1
app/email/secrets/email/postfix/postfix.key
Normal file
1
app/email/secrets/email/postfix/postfix.key
Normal file
|
@ -0,0 +1 @@
|
|||
SSL_KEY postfix
|
1
app/email/secrets/email/sogo/ldap_binddn
Normal file
1
app/email/secrets/email/sogo/ldap_binddn
Normal file
|
@ -0,0 +1 @@
|
|||
SERVICE_DN sogo SoGo email frontend
|
1
app/email/secrets/email/sogo/ldap_bindpw
Normal file
1
app/email/secrets/email/sogo/ldap_bindpw
Normal file
|
@ -0,0 +1 @@
|
|||
SERVICE_PASSWORD sogo
|
1
app/email/secrets/email/sogo/postgre_auth
Normal file
1
app/email/secrets/email/sogo/postgre_auth
Normal file
|
@ -0,0 +1 @@
|
|||
USER SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)
|
1
app/im/secrets/chat/coturn/static-auth
Normal file
1
app/im/secrets/chat/coturn/static-auth
Normal file
|
@ -0,0 +1 @@
|
|||
USER cotorn static-auth (what is this?)
|
1
app/im/secrets/chat/fb2mx/as_token
Normal file
1
app/im/secrets/chat/fb2mx/as_token
Normal file
|
@ -0,0 +1 @@
|
|||
USER fb2mx API server token
|
1
app/im/secrets/chat/fb2mx/db_url
Normal file
1
app/im/secrets/chat/fb2mx/db_url
Normal file
|
@ -0,0 +1 @@
|
|||
USER fb2mx database URL, format: postgres://username:password@hostname/dbname
|
|
@ -1 +0,0 @@
|
|||
postgres://username:password@hostname/dbname
|
1
app/im/secrets/chat/fb2mx/hs_token
Normal file
1
app/im/secrets/chat/fb2mx/hs_token
Normal file
|
@ -0,0 +1 @@
|
|||
USER fb2mx homeserver token
|
1
app/im/secrets/chat/synapse/homeserver.tls.crt
Normal file
1
app/im/secrets/chat/synapse/homeserver.tls.crt
Normal file
|
@ -0,0 +1 @@
|
|||
SSL_CERT synapse im.deuxfleurs.fr
|
1
app/im/secrets/chat/synapse/homeserver.tls.dh
Normal file
1
app/im/secrets/chat/synapse/homeserver.tls.dh
Normal file
|
@ -0,0 +1 @@
|
|||
USER_LONG DH parameters for matrix ssl key? how does this work?
|
1
app/im/secrets/chat/synapse/homeserver.tls.key
Normal file
1
app/im/secrets/chat/synapse/homeserver.tls.key
Normal file
|
@ -0,0 +1 @@
|
|||
SSL_KEY synapse im.deuxfleurs.fr
|
1
app/im/secrets/chat/synapse/ldap_binddn
Normal file
1
app/im/secrets/chat/synapse/ldap_binddn
Normal file
|
@ -0,0 +1 @@
|
|||
SERVICE_DN matrix Matrix chat server
|
1
app/im/secrets/chat/synapse/ldap_bindpw
Normal file
1
app/im/secrets/chat/synapse/ldap_bindpw
Normal file
|
@ -0,0 +1 @@
|
|||
SERVICE_PASSWORD matrix
|
1
app/im/secrets/chat/synapse/postgres_db
Normal file
1
app/im/secrets/chat/synapse/postgres_db
Normal file
|
@ -0,0 +1 @@
|
|||
CONST synapse
|
1
app/im/secrets/chat/synapse/postgres_pwd
Normal file
1
app/im/secrets/chat/synapse/postgres_pwd
Normal file
|
@ -0,0 +1 @@
|
|||
SERVICE_PASSWORD matrix
|
1
app/im/secrets/chat/synapse/postgres_user
Normal file
1
app/im/secrets/chat/synapse/postgres_user
Normal file
|
@ -0,0 +1 @@
|
|||
CONST matrix
|
1
app/im/secrets/chat/synapse/registration_shared_secret
Normal file
1
app/im/secrets/chat/synapse/registration_shared_secret
Normal file
|
@ -0,0 +1 @@
|
|||
USER Shared secret for homeserver registrations (?)
|
1
app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt
Normal file
1
app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt
Normal file
|
@ -0,0 +1 @@
|
|||
SSL_CERT jitsi_auth autj.jitsi.deuxfleurs.fr
|
1
app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key
Normal file
1
app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key
Normal file
|
@ -0,0 +1 @@
|
|||
SSL_KEY jitsi_auth autj.jitsi.deuxfleurs.fr
|
1
app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt
Normal file
1
app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt
Normal file
|
@ -0,0 +1 @@
|
|||
SSL_CERT jitsi jitsi.deuxfleurs.fr
|
1
app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key
Normal file
1
app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key
Normal file
|
@ -0,0 +1 @@
|
|||
SSL_KEY jitsi
|
1
app/platoo/secrets/platoo/bddpw
Normal file
1
app/platoo/secrets/platoo/bddpw
Normal file
|
@ -0,0 +1 @@
|
|||
SERVICE_PASSWORD platoo
|
1
app/postgres/secrets/postgres/keeper/pg_repl_pwd
Normal file
1
app/postgres/secrets/postgres/keeper/pg_repl_pwd
Normal file
|
@ -0,0 +1 @@
|
|||
SERVICE_PASSWORD replicator
|
1
app/postgres/secrets/postgres/keeper/pg_repl_username
Normal file
1
app/postgres/secrets/postgres/keeper/pg_repl_username
Normal file
|
@ -0,0 +1 @@
|
|||
CONST replicator
|
1
app/postgres/secrets/postgres/keeper/pg_su_pwd
Normal file
1
app/postgres/secrets/postgres/keeper/pg_su_pwd
Normal file
|
@ -0,0 +1 @@
|
|||
SERVICE_PASSWORD postgres
|
1
app/seafile/secrets/mariadb/main/ldap_binddn
Normal file
1
app/seafile/secrets/mariadb/main/ldap_binddn
Normal file
|
@ -0,0 +1 @@
|
|||
SERVICE_DN mysql MySQL/MariaDB database
|
1
app/seafile/secrets/mariadb/main/ldap_bindpwd
Normal file
1
app/seafile/secrets/mariadb/main/ldap_bindpwd
Normal file
|
@ -0,0 +1 @@
|
|||
SERVICE_PASSWORD mysql
|
1
app/seafile/secrets/mariadb/main/mysql_pwd
Normal file
1
app/seafile/secrets/mariadb/main/mysql_pwd
Normal file
|
@ -0,0 +1 @@
|
|||
USER mysql_pwd (what is this?)
|
1
app/seafile/secrets/seafile/conf/mykey.peer
Normal file
1
app/seafile/secrets/seafile/conf/mykey.peer
Normal file
|
@ -0,0 +1 @@
|
|||
USER Seafile peer key
|
44
app/secrets.py
Normal file
44
app/secrets.py
Normal file
|
@ -0,0 +1,44 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
"""
|
||||
TODO: this will be a utility to handle secrets in the Consul database
|
||||
for the various components of the Deuxfleurs infrastructure
|
||||
|
||||
Functionnalities:
|
||||
- check that secrets are correctly configured
|
||||
- help user fill in secrets
|
||||
- create LDAP service users and fill in corresponding secrets
|
||||
- maybe one day: manage SSL certificates and keys
|
||||
|
||||
It uses files placed in <module_name>/secrets/* to know what secrets
|
||||
it should handle. These secret files contain directives for what to do
|
||||
about these secrets.
|
||||
|
||||
Example directives:
|
||||
|
||||
USER <description>
|
||||
(a secret that must be filled in by the user)
|
||||
|
||||
USER_LONG <description>
|
||||
(the same, indicates that the secret fits on several lines)
|
||||
|
||||
CONST <constant value>
|
||||
(the secret has a constant value set here)
|
||||
|
||||
CONST_LONG
|
||||
<constant value, several lines>
|
||||
(same)
|
||||
|
||||
SERVICE_DN <service name> <service description>
|
||||
(the LDAP DN of a service user)
|
||||
|
||||
SERVICE_PASSWORD <service name>
|
||||
(the LDAP password for the corresponding service user)
|
||||
|
||||
SSL_CERT <cert name> <list of domains>
|
||||
(a SSL domain for the given domains)
|
||||
|
||||
SSL_KEY <cert name>
|
||||
(the SSL key going with corresponding certificate)
|
||||
"""
|
||||
|
1
app/web_static/secrets/web/home_token
Normal file
1
app/web_static/secrets/web/home_token
Normal file
|
@ -0,0 +1 @@
|
|||
USER web home_token (what is this?)
|
1
app/web_static/secrets/web/quentin.dufour.io_token
Normal file
1
app/web_static/secrets/web/quentin.dufour.io_token
Normal file
|
@ -0,0 +1 @@
|
|||
USER web quentin.dufour.io token (what is this?)
|
Loading…
Reference in a new issue