From 51dc5a690dfcd6830e7d74152d17ce52dea867a1 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 9 Jan 2024 17:22:11 -0600 Subject: [PATCH] synapse: encrypt LDAP password with age Switching from Ansible Vault to `age`. This value is encrypted with the following public key: age1j63kzwldegazaaj4rm2ydzlm4wlh6z4cgm4s7g6pzysskh04duhslyc5yy --- group_vars/synapse/main.yml | 9 ++++++++- group_vars/synapse/secrets | 9 --------- roles/synapse/templates/homeserver.yaml.j2 | 2 +- 3 files changed, 9 insertions(+), 11 deletions(-) delete mode 100644 group_vars/synapse/secrets diff --git a/group_vars/synapse/main.yml b/group_vars/synapse/main.yml index a07b0da..871516f 100644 --- a/group_vars/synapse/main.yml +++ b/group_vars/synapse/main.yml @@ -4,7 +4,14 @@ synapse_ldap_enabled: true synapse_ldap_uri: ldap://ldap.pyrocufflink.blue:389 synapse_ldap_base: DC=pyrocufflink,DC=blue synapse_ldap_bind_dn: CN=svc.synapse,CN=Users,DC=pyrocufflink,DC=blue -synapse_ldap_bind_password: '{{ vault_synapse_ldap_bind_password }}' +synapse_ldap_bind_password: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBza1BRS1Y5WFFIVDk1R0Fj + S09STXh3dEZBL0dtWk1PZXZHT0ZiZ0J6N1JVCkhFYXpqM3RqbmxmUlEySGgrcDla + eWVld3JmR1IxWmM0dlMzRXR0RDg4aEEKLS0tIHd1Tm5HVzZVTHBXUUV0OGQwb2o4 + YkxqNkxzMHY3UWdibmFQajRIVFU2WlUKPrK1boO/OLSGTYKqz4VhiSLvfNO3EnU2 + I3NhniF1WpbqwEkYzL7CM4teYYYQOHPJpBaj4vUT7mMOZyw5VOkKYQ== + -----END AGE ENCRYPTED FILE----- matrix_tls_cert: websites/hatch.chat.cer matrix_tls_key: websites/hatch.chat.key diff --git a/group_vars/synapse/secrets b/group_vars/synapse/secrets deleted file mode 100644 index 7af7e5b..0000000 --- a/group_vars/synapse/secrets +++ /dev/null @@ -1,9 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -63353463626538346438303931303537663265346634313861653364333635323337666634303136 -3036343162343532306263653634376132663836393962640a623738393633336437643330656264 -66633166306532373631323236346237626239643839313934383264393231313134323761313163 -6464626566623466630a313363386332613637346638333439666438383939306632666466353966 -30323538326462313836306563353233663935636130636361353938623331396432356436383137 -30336464646136633931613763363464373165386435613939656435663332326432396539633037 -30373035663336613937383038363032373330316137333333303632353839643338393938343238 -34393634643139323066 diff --git a/roles/synapse/templates/homeserver.yaml.j2 b/roles/synapse/templates/homeserver.yaml.j2 index 5c8b2ae..e8c5721 100644 --- a/roles/synapse/templates/homeserver.yaml.j2 +++ b/roles/synapse/templates/homeserver.yaml.j2 @@ -80,7 +80,7 @@ password_providers: {% if synapse_ldap_bind_dn|d %} bind_dn: '{{ synapse_ldap_bind_dn }}' {% if synapse_ldap_bind_password|d %} - bind_password: '{{ synapse_ldap_bind_password }}' + bind_password: '{{ synapse_ldap_bind_password | decrypt }}' {% endif %} {% endif %} {% endif %}