Migrate prod cluster secrets to new format

This commit is contained in:
Alex 2022-12-25 22:31:18 +01:00
parent 6d6e48c8fa
commit 87bb031ed0
No known key found for this signature in database
GPG key ID: 09EC5284AA804D3C
110 changed files with 457 additions and 99 deletions

View file

@ -0,0 +1,90 @@
# Cryptpad backup
[secrets."backup/cryptpad/backup_restic_password"]
type = 'user'
description = 'Restic password to encrypt backups'
[secrets."backup/cryptpad/backup_aws_secret_access_key"]
type = 'user'
description = 'Backup AWS secret access key'
[secrets."backup/cryptpad/backup_restic_repository"]
type = 'user'
description = 'Restic repository'
example = 's3:https://s3.garage.tld'
[secrets."backup/cryptpad/backup_aws_access_key_id"]
type = 'user'
description = 'Backup AWS access key ID'
# Consul backup
[secrets."backup/consul/backup_restic_password"]
type = 'user'
description = 'Restic password to encrypt backups'
[secrets."backup/consul/backup_aws_secret_access_key"]
type = 'user'
description = 'Backup AWS secret access key'
[secrets."backup/consul/backup_restic_repository"]
type = 'user'
description = 'Restic repository'
example = 's3:https://s3.garage.tld'
[secrets."backup/consul/backup_aws_access_key_id"]
type = 'user'
description = 'Backup AWS access key ID'
# Postgresql backup
[secrets."backup/psql/aws_secret_access_key"]
type = 'user'
description = 'Minio secret key'
[secrets."backup/psql/aws_access_key_id"]
type = 'user'
description = 'Minio access key'
[secrets."backup/psql/crypt_public_key"]
type = 'user'
description = 'A public key to encypt backups with age'
[secrets."backup/psql/crypt_private_key"]
type = 'user'
description = 'a private key to decript backups from age'
# SSH target config (do we still use this?)
[secrets."backup/target_ssh_host"]
type = 'user'
description = 'Hostname of the backup target host'
[secrets."backup/target_ssh_port"]
type = 'user'
description = 'SSH port number to connect to the target host'
[secrets."backup/target_ssh_dir"]
type = 'user'
description = 'Directory where to store backups on target host'
[secrets."backup/target_ssh_user"]
type = 'user'
description = 'SSH username to log in as on the target host'
[secrets."backup/target_ssh_fingerprint"]
type = 'user'
description = 'SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)'
[secrets."backup/id_ed25519"]
type = 'user'
multiline = true
description = 'Private ed25519 key of the container doing the backup'
[secrets."backup/id_ed25519.pub"]
type = 'user'
description = 'Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)'

View file

@ -1 +0,0 @@
USER Backup AWS access key ID

View file

@ -1 +0,0 @@
USER Backup AWS secret access key

View file

@ -1 +0,0 @@
USER Restic password to encrypt backups

View file

@ -1 +0,0 @@
USER Restic repository, eg. s3:https://s3.garage.tld

View file

@ -1 +0,0 @@
USER Backup AWS access key ID

View file

@ -1 +0,0 @@
USER Backup AWS secret access key

View file

@ -1 +0,0 @@
USER Restic password to encrypt backups

View file

@ -1 +0,0 @@
USER Restic repository, eg. s3:https://s3.garage.tld

View file

@ -1 +0,0 @@
USER_LONG Private ed25519 key of the container doing the backup

View file

@ -1 +0,0 @@
USER Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)

View file

@ -1 +0,0 @@
USER Minio access key

View file

@ -1 +0,0 @@
USER Minio secret key

View file

@ -1 +0,0 @@
USER a private key to decript backups from age

View file

@ -1 +0,0 @@
USER A public key to encypt backups with age

View file

@ -1 +0,0 @@
USER Directory where to store backups on target host

View file

@ -1 +0,0 @@
USER SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)

View file

@ -1 +0,0 @@
USER Hostname of the backup target host

View file

@ -1 +0,0 @@
USER SSH port number to connect to the target host

View file

@ -1 +0,0 @@
USER SSH username to log in as on the target host

View file

@ -0,0 +1,5 @@
[secrets."directory/ldap_base_dn"]
type = 'user'
description = 'LDAP base DN for everything'
example = 'dc=example,dc=com'

View file

@ -1 +0,0 @@
USER LDAP base DN for everything (e.g. dc=example,dc=com)

View file

@ -0,0 +1,47 @@
# Drone's secrets
[secrets."drone-ci/rpc_secret"]
type = 'command'
rotate = true
command = 'openssl rand -hex 16'
[secrets."drone-ci/cookie_secret"]
type = 'command'
rotate = true
command = 'openssl rand -hex 16'
[secrets."drone-ci/db_enc_secret"]
type = 'command'
command = 'openssl rand -hex 16'
# Oauth config for gitea
[secrets."drone-ci/oauth_client_secret"]
type = 'user'
description = 'OAuth client secret (for gitea)'
[secrets."drone-ci/oauth_client_id"]
type = 'user'
description = 'OAuth client ID (on Gitea)'
# S3 config for Git LFS storage
[secrets."drone-ci/s3_db_bucket"]
type = 'constant'
value = 'drone-db'
[secrets."drone-ci/s3_sk"]
type = 'user'
description = 'S3 (garage) secret key for Drone'
[secrets."drone-ci/s3_ak"]
type = 'user'
description = 'S3 (garage) access key for Drone'
[secrets."drone-ci/s3_storage_bucket"]
type = 'constant'
value = 'drone-storage'

View file

@ -1 +0,0 @@
CMD openssl rand -hex 16

View file

@ -1 +0,0 @@
CMD_ONCE openssl rand -hex 16

View file

@ -1 +0,0 @@
USER OAuth client ID (on Gitea)

View file

@ -1 +0,0 @@
USER OAuth client secret (for gitea)

View file

@ -1 +0,0 @@
CMD openssl rand -hex 16

View file

@ -1 +0,0 @@
USER S3 (garage) access key for Drone

View file

@ -1 +0,0 @@
CONST drone-db

View file

@ -1 +0,0 @@
USER S3 (garage) secret key for Drone

View file

@ -1 +0,0 @@
CONST drone-storage

View file

@ -0,0 +1,58 @@
# ---- POSTFIX ----
[secrets."email/postfix/postfix.key"]
type = 'SSL_KEY'
name = 'postfix'
[secrets."email/postfix/postfix.crt"]
type = 'SSL_CERT'
name = 'postfix'
cert_domains = "['deuxfleurs.fr']"
[secrets."email/dkim/smtp.private"]
type = 'RSA_PRIVATE_KEY'
name = 'dkim'
# ---- DOVECOT ----
[service_users."dovecot"]
dn_secret = "email/dovecot/ldap_binddn"
password_secret = "email/dovecot/ldap_bindpwd"
[secrets."email/dovecot/dovecot.key"]
type = 'SSL_KEY'
name = 'dovecot'
[secrets."email/dovecot/dovecot.crt"]
type = 'SSL_CERT'
name = 'dovecot'
cert_domains = "['deuxfleurs.fr']"
[secrets."email/dovecot/backup_restic_password"]
type = 'user'
description = 'Restic backup password to encrypt data'
[secrets."email/dovecot/backup_aws_secret_access_key"]
type = 'user'
description = 'AWS Secret Access key'
[secrets."email/dovecot/backup_restic_repository"]
type = 'user'
description = 'Restic Repository URL, check op_guide/backup-minio to see the format'
[secrets."email/dovecot/backup_aws_access_key_id"]
type = 'user'
description = 'AWS Acces Key ID'
# ---- SOGO ----
[service_users."sogo"]
dn_secret = "email/sogo/ldap_binddn"
password_secret = "email/sogo/ldap_bindpw"
[secrets."email/sogo/postgre_auth"]
type = 'user'
description = 'SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)'

View file

@ -1 +0,0 @@
RSA_PRIVATE_KEY dkim

View file

@ -1 +0,0 @@
USER AWS Acces Key ID

View file

@ -1 +0,0 @@
USER AWS Secret Access key

View file

@ -1 +0,0 @@
USER Restic backup password to encrypt data

View file

@ -1 +0,0 @@
USER Restic Repository URL, check op_guide/backup-minio to see the format

View file

@ -1 +0,0 @@
SSL_CERT dovecot deuxfleurs.fr

View file

@ -1 +0,0 @@
SSL_KEY dovecot

View file

@ -1 +0,0 @@
SERVICE_DN dovecot Dovecot IMAP server

View file

@ -1 +0,0 @@
SERVICE_PASSWORD dovecot

View file

@ -1 +0,0 @@
SSL_CERT postfix deuxfleurs.fr

View file

@ -1 +0,0 @@
SSL_KEY postfix

View file

@ -1 +0,0 @@
SERVICE_DN sogo SoGo email frontend

View file

@ -1 +0,0 @@
SERVICE_PASSWORD sogo

View file

@ -1 +0,0 @@
USER SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)

View file

@ -0,0 +1,14 @@
[secrets."garage/rpc_secret"]
type = 'command'
command = 'openssl rand -hex 32'
# can't auto-rotate, because we still have some nodes outside of Nomad
[secrets."garage/admin_token"]
type = 'command'
command = 'openssl rand -hex 32'
rotate = true
[secrets."garage/metrics_token"]
type = 'command'
command = 'openssl rand -hex 32'
rotate = true

View file

@ -1 +0,0 @@
CMD_ONCE openssl rand -hex 32

View file

@ -1 +0,0 @@
CMD_ONCE openssl rand -hex 32

View file

@ -1 +0,0 @@
CMD_ONCE openssl rand -hex 32

View file

@ -0,0 +1,51 @@
# General configuration
[secrets."directory/guichet/web_hostname"]
type = 'user'
description = 'Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)'
# Mailing configuration
[secrets."directory/guichet/smtp_user"]
type = 'user'
description = 'SMTP username'
[secrets."directory/guichet/smtp_pass"]
type = 'user'
description = 'SMTP password'
[secrets."directory/guichet/smtp_server"]
type = 'user'
description = 'SMTP server address (hostname:port)'
[secrets."directory/guichet/mail_from"]
type = 'user'
description = 'E-mail address from which to send welcome emails to new users'
[secrets."directory/guichet/mail_domain"]
type = 'user'
description = 'E-mail domain for new users (e.g. example.com)'
# S3 configuration
[secrets."directory/guichet/s3_endpoint"]
type = 'user'
description = 'S3 endpoint URL'
[secrets."directory/guichet/s3_bucket"]
type = 'user'
description = 'S3 bucket in which to store data files (such as profile pictures)'
[secrets."directory/guichet/s3_region"]
type = 'user'
description = 'S3 region'
[secrets."directory/guichet/s3_access_key"]
type = 'user'
description = 'Garage access key for Guichet profile pictures'
[secrets."directory/guichet/s3_secret_key"]
type = 'user'
description = 'Garage secret key for Guichet profile pictures'

View file

@ -1 +0,0 @@
USER E-mail domain for new users (e.g. example.com)

View file

@ -1 +0,0 @@
USER E-mail address from which to send welcome emails to new users

View file

@ -1 +0,0 @@
USER Garage access key for Guichet profile pictures

View file

@ -1 +0,0 @@
USER S3 bucket in which to store data files (such as profile pictures)

View file

@ -1 +0,0 @@
USER S3 endpoint URL

View file

@ -1 +0,0 @@
USER S3 region

View file

@ -1 +0,0 @@
USER Garage secret key for Guichet profile pictures

View file

@ -1 +0,0 @@
USER SMTP password

View file

@ -1 +0,0 @@
USER SMTP server address (hostname:port)

View file

@ -1 +0,0 @@
USER SMTP username

View file

@ -1 +0,0 @@
USER Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)

View file

@ -0,0 +1,36 @@
# Jitsi secrets
[secrets."jitsi/jvb_pass"]
type = 'command'
rotate = true
command = 'openssl rand -base64 24'
[secrets."jitsi/jicofo_pass"]
type = 'command'
rotate = true
command = 'openssl rand -base64 24'
# SSL: Jitsi
[secrets."jitsi/jitsi.crt"]
type = 'SSL_CERT'
name = 'jitsi'
cert_domains = "['jitsi']"
[secrets."jitsi/jitsi.key"]
type = 'SSL_KEY'
name = 'jitsi'
# SSL: Jitsi auth
[secrets."jitsi/auth.jitsi.crt"]
type = 'SSL_CERT'
name = 'jitsi_auth'
cert_domains = "['auth.jitsi']"
[secrets."jitsi/auth.jitsi.key"]
type = 'SSL_KEY'
name = 'jitsi_auth'

View file

@ -1 +0,0 @@
SSL_CERT jitsi_auth auth.jitsi

View file

@ -1 +0,0 @@
SSL_KEY jitsi_auth auth.jitsi

View file

@ -1 +0,0 @@
CMD openssl rand -base64 24

View file

@ -1 +0,0 @@
SSL_CERT jitsi jitsi

View file

@ -1 +0,0 @@
SSL_KEY jitsi jitsi

View file

@ -1 +0,0 @@
CMD openssl rand -base64 24

View file

@ -0,0 +1,92 @@
[service_users."matrix"]
description = 'Matrix service user'
dn_secret = 'chat/synapse/ldap_binddn'
password_secret = 'chat/synapse/ldap_bindpw'
# Postgresql DB
[secrets."chat/synapse/postgres_db"]
type = 'constant'
value = 'synapse'
[secrets."chat/synapse/postgres_user"]
type = 'service_username'
service = 'matrix'
[secrets."chat/synapse/postgres_pwd"]
type = 'service_password'
service = 'matrix'
# S3 access
[secrets."chat/synapse/s3_access_key"]
type = 'user'
description = 'S3 access key ID for Matrix bucket'
[secrets."chat/synapse/s3_secret_key"]
type = 'user'
description = 'S3 secret access key for Matrix bucket'
# Keys & stuff
[secrets."chat/synapse/homeserver.tls.dh"]
type = 'user'
multiline = true
description = 'DH parameters for matrix ssl key? how does this work?'
[secrets."chat/synapse/homeserver.tls.crt"]
type = 'SSL_CERT'
name = 'synapse'
cert_domains = "['im.deuxfleurs.fr']"
[secrets."chat/synapse/homeserver.tls.key"]
type = 'SSL_KEY'
name = 'synapse'
[secrets."chat/synapse/homeserver.signing.key"]
type = 'user'
description = 'Synapse homeserver ed25519 signing key'
[secrets."chat/synapse/registration_shared_secret"]
type = 'command'
rotate = true
command = 'head -c 32 /dev/urandom | base64'
# ----------- COTURN -----------
[secrets."chat/coturn/static-auth"]
type = 'user'
description = 'coturn static-auth (what is this?)'
[secrets."chat/coturn/static_auth_secret_zinzdev"]
type = 'user'
description = "Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification."
# ----------- EASYBRIDGE (we will remove this one day) -----------
[service_users."easybridge"]
description = 'Easybridge service user'
password_secret = 'chat/easybridge/db_pass'
username_secret = 'chat/easybridge/db_user'
[secrets."chat/easybridge/as_token"]
type = 'command'
rotate = true
command = 'openssl rand -hex 32'
[secrets."chat/easybridge/web_session_key"]
type = 'command'
rotate = true
command = 'openssl rand -hex 32'
[secrets."chat/easybridge/hs_token"]
type = 'command'
rotate = true
command = 'openssl rand -hex 32'

View file

@ -1 +0,0 @@
USER coturn static-auth (what is this?)

View file

@ -1 +0,0 @@
USER Serveur coturn (TURN/STUN) d'Adrien, c'est un jeton d'identification.

View file

@ -1 +0,0 @@
CMD openssl rand -hex 32

View file

@ -1 +0,0 @@
SERVICE_PASSWORD easybridge

View file

@ -1 +0,0 @@
CONST easybridge

View file

@ -1 +0,0 @@
CMD openssl rand -hex 32

View file

@ -1,2 +0,0 @@
CMD openssl rand -hex 32

View file

@ -1 +0,0 @@
CMD openssl rand -hex 32

View file

@ -1 +0,0 @@
USER fb2mx database URL, format: postgres://username:password@hostname/dbname

View file

@ -1 +0,0 @@
CMD openssl rand -hex 32

View file

@ -1 +0,0 @@
USER Synapse homeserver ed25519 signing key

View file

@ -1 +0,0 @@
SSL_CERT synapse im.deuxfleurs.fr

View file

@ -1 +0,0 @@
USER_LONG DH parameters for matrix ssl key? how does this work?

View file

@ -1 +0,0 @@
SSL_KEY synapse im.deuxfleurs.fr

View file

@ -1 +0,0 @@
SERVICE_DN matrix Matrix chat server

View file

@ -1 +0,0 @@
SERVICE_PASSWORD matrix

View file

@ -1 +0,0 @@
CONST synapse

View file

@ -1 +0,0 @@
SERVICE_PASSWORD matrix

View file

@ -1 +0,0 @@
CONST matrix

View file

@ -1 +0,0 @@
CMD head -c 32 /dev/urandom | base64

View file

@ -1 +0,0 @@
USER matrix

View file

@ -1 +0,0 @@
USER matrix

View file

@ -0,0 +1,29 @@
[service_user."plume"]
password_secret = "plume/pgsql_pw"
[secrets."plume/secret_key"]
type = 'command'
rotate = true
command = 'openssl rand -base64 32'
# Plume backup
[secrets."plume/backup_restic_repository"]
type = 'user'
description = 'Restic repository'
example = 's3:https://s3.garage.tld'
[secrets."plume/backup_restic_password"]
type = 'user'
description = 'Restic password to encrypt backups'
[secrets."plume/backup_aws_secret_access_key"]
type = 'user'
description = 'Backup AWS secret access key'
[secrets."plume/backup_aws_access_key_id"]
type = 'user'
description = 'Backup AWS access key ID'

View file

@ -1 +0,0 @@
USER Backup AWS access key ID

View file

@ -1 +0,0 @@
USER Backup AWS secret access key

View file

@ -1 +0,0 @@
USER Restic password to encrypt backups

View file

@ -1 +0,0 @@
USER Restic repository, eg. s3:https://s3.garage.tld

View file

@ -1 +0,0 @@
SERVICE_PASSWORD plume

View file

@ -1 +0,0 @@
CMD openssl rand -base64 32

Some files were not shown because too many files have changed in this diff Show more