fix(web03/dj-apps): Use secret tokens

machines/web03/django-apps/annuaire.nix

@@ -1,4 +1,9 @@
-{ pkgs, sources, ... }:
+{
+  pkgs,
+  sources,
+  config,
+  ...
+}:
 
 let
   nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
@@ -15,7 +20,7 @@ in
       forceSSL = true;
     };
 
-    webHookSecret = builtins.toFile "insecure-secret" "T5hNeDraMivRZLUkrekv&QeM";
+    webHookSecret = config.age.secrets."webhook-annuaire_token".path;
 
     python = pkgs.python3.override {
       packageOverrides = _: _: { inherit (nix-pkgs) authens loadcredential; };
@@ -30,7 +35,7 @@ in
     ];
 
     credentials = {
-      SECRET_KEY = builtins.toFile "insecure-key" "insecure-key";
+      SECRET_KEY = config.age.secrets."dj_annuaire-secret_key_file".path;
     };
 
     environment = {

machines/web03/django-apps/bocal.nix

@@ -1,4 +1,9 @@
-{ pkgs, sources, ... }:
+{
+  pkgs,
+  sources,
+  config,
+  ...
+}:
 
 let
   nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
@@ -15,7 +20,7 @@ in
       forceSSL = true;
     };
 
-    webHookSecret = builtins.toFile "insecure-secret" "T5hNeDraMivRZLUkrekv&QeM";
+    webHookSecret = config.age.secrets."webhook-bocal_token".path;
 
     python = pkgs.python3.override {
       packageOverrides = _: _: { inherit (nix-pkgs) django-cas-ng django-solo loadcredential; };
@@ -32,7 +37,7 @@ in
     ];
 
     credentials = {
-      SECRET_KEY = builtins.toFile "insecure-key" "insecure-key";
+      SECRET_KEY = config.age.secrets."dj_bocal-secret_key_file".path;
     };
 
     environment = {

machines/web03/django-apps/gestiojeux.nix

@@ -1,4 +1,9 @@
-{ pkgs, sources, ... }:
+{
+  pkgs,
+  sources,
+  config,
+  ...
+}:
 
 let
   nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
@@ -15,7 +20,7 @@ in
       forceSSL = true;
     };
 
-    webHookSecret = builtins.toFile "insecure-secret" "T5hNeDraMivRZLUkrekv&QeM";
+    webHookSecret = config.age.secrets."webhook-gestiojeux_token".path;
 
     application = {
       type = "wsgi";
@@ -54,7 +59,7 @@ in
     mediaDirectory = "source/public/media";
 
     credentials = {
-      SECRET_KEY = builtins.toFile "insecure-key" "insecure-key";
+      SECRET_KEY = config.age.secrets."dj_gestiojeux-secret_key_file".path;
     };
 
     environment = {

machines/web03/django-apps/wikiens.nix

@@ -1,4 +1,9 @@
-{ pkgs, sources, ... }:
+{
+  pkgs,
+  sources,
+  config,
+  ...
+}:
 
 let
   nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
@@ -8,14 +13,14 @@ in
   services.django-apps.sites.wikiens = {
     source = "https://git.dgnum.eu/DGNum/wiki-eleves";
     branch = "main";
-    domain = "wiki.webapps.dgnum.eu";
+    domain = "wiki.eleves.ens.fr";
 
     nginx = {
       enableACME = true;
       forceSSL = true;
     };
 
-    webHookSecret = builtins.toFile "insecure-secret" "T5hNeDraMivRZLUkrekv&QeM";
+    webHookSecret = config.age.secrets."webhook-wikiens_token".path;
 
     python = pkgs.python3.override {
       packageOverrides = _: _: {
@@ -40,11 +45,11 @@ in
       ++ ps.django-allauth.optional-dependencies.socialaccount;
 
     credentials = {
-      SECRET_KEY = builtins.toFile "insecure-key" "insecure-key";
+      SECRET_KEY = config.age.secrets."dj_wikiens-secret_key_file".path;
     };
 
     environment = {
-      WIKIENS_ALLOWED_HOSTS = [ "wiki.webapps.dgnum.eu" ];
+      WIKIENS_ALLOWED_HOSTS = [ "wiki.eleves.ens.fr" ];
     };
   };
 }

machines/web03/secrets/dj_bocal-secret_key_file

@@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA HF+w4Kuk7Wo2s94SeNxAB3zFZhKNn1fPabJhUK/xGH0
+KY5tknNrICYq0HTfNRX760OPyWPJ8B4Sasq8BjN9a6k
+-> ssh-ed25519 QlRB9Q OGcCe/S1aIQckJGzt4Wz+DFebTZpNV+YCevnVOPDMXQ
+keDckjD4Vjhj3gmQnW0V8nJ1Soubkhb9WP28fsanhMA
+-> ssh-ed25519 r+nK/Q lO6xwuhfQ6gMlJzFBF5J9c2elEg1J3leAt5x1uTYGSk
+HQG0VQXvn72CIOqe6FRGrSX8TIa7sBB3cOZZQzXBl8w
+-> ssh-rsa krWCLQ
+pvF18GVS3dHr2jiss4sn00UqVVM2f/6BmkpYMgAVQ3FNpgnimQGsgCssuBo3Hjrc
+BTO4v2U6cQ28LTUsruWdPhRChT0zfGRtx1QIn0tPzy3XKUxjt2XkBeblxtLhCHmI
+muQ0yA15bP+aQfZn0dE1Eb4krw1unKWE4f82L/BQ5Y/i1P2rubhyBhBoQRb6atHv
+S2EWBafaNr3orbFl9FPMjhWW3WZX/zKJxlu0saN88I6ZU2967mdR4PogMpL9iqST
+atraraA1jG6mR9Ojloyrf8FG6wTlplDlZk8Sgtg88FD1iHMN1q0DQv1LwRoD3QUa
+ywIn9MABMufNXQ+jm/DQpw
+-> ssh-ed25519 /vwQcQ 83MxgOJhIBBGU6IRcTQPtxtyR4MapAxhdKT634w/em4
+scNxodN5j1HXOIPCB3glvc08Gb4wW9gmZ5gkWMCbm4E
+-> ssh-ed25519 0R97PA LBFUS7zx26+rjiWqVwQ4UBqRxr+3Sx+j+GGrRaBbz08
+fnFwvJz36SiKnEoJr+0+enNVcT7wduZUrYe7bWhyxfE
+-> ssh-ed25519 JGx7Ng iXjAn4Y7+yHASx4ZbIrvFffLzgX52DbQy9hIcTScHAs
+6AJZoV33mBryiCaquKTAkw8yB1NQs38QlG2p4LIcoMc
+-> ssh-ed25519 bUjjig 0cqMXUVHqhyYhygR7meIyWRr/c7H8ZGB5eO7tTHhRUk
+GYKKGB02ElJXpObmBJKF4Bvoswd3o83vvVYIHIpDprg
+-> ssh-ed25519 VQSaNw xHhzKnYeKxrN2MJz84v7Mjg3Nh69UJ6Q/eAyVAvC3V0
+/bvauGesQw9/tl4DhCNFY9Rq+qWv12O4TcqzdxTCWzk
+-> T:){{-grease NuQ <}vLGT%
+0JSFYPMWs6LXpWacfiHNdwqvs/eHecFwj6cg0eLZEQe96shxy8/WSUBMpgasKufB
+Nc4tpfiOVWVRGm4arhunwJ+1sgg37X35PWde89Qpg5g
+--- Y6N6GuCpRLdD25EWW+05qbUAadrT3z2Pzc5golCBHJw
+ßNê¯3'8ú³€@/¨0,zWêS¦‘ï;ßñì)§e<C2A7>ßÉïèÞí
+qMj’ÏŒrçHB–ÇR2šš–E2H+d­%
¶Ò–®

machines/web03/secrets/dj_gestiojeux-secret_key_file

@@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA tuq63SvMOBnLOZNkIA5RenFt0DTg6bwCX4zJ8ISYRxc
+B1K+kEO/JC0t2EL+2od+UiVNlzBbpRg29lsp2L1DhHw
+-> ssh-ed25519 QlRB9Q r3M3DQi3xJiP+3nTpwm+2PQipnAaRyaWSH+mb0es6kE
+codqvk7AgptYBRyz2BFVH0FcQ7ebZGGdJ6PJmoWWXTk
+-> ssh-ed25519 r+nK/Q Ah4Oim/N0Tdkz1KPbQiHJQaqx614/jjlMqCxtYqjBy0
+aTrlmm3TbWN6pyDEHf9uGy9H9CyyChXGKL0RZr7U3W4
+-> ssh-rsa krWCLQ
+ZbbBqvj7L2XFfJBCQrn799m7FQDrFDg96Moev+Uab/U5caQoJIljMldkfD7VphEt
+56dyeJ7IdKdnwyt07213ua2gZ8Cmjyffi4b0mYhHkvRI5aSmfUtfiomXU0HkgZvK
+rk4+AVQYXTLZKlGaq5KkTt4i0ltwzjA9ECNirciqi5JmORkUD1T41xBKCSb+7N5b
+34Z/uka+oacxt7q27GnSonyFQIm7/owS4bTWV7vxoWLoOYTJcg4Oki/Op4gE9GkK
+1y4RDpdVsHcRZbi7ewB9UKbvMzH44TN5VJARUf0mFQ/OHUo5IJcm/glS898fSLu/
+mrjVT6XGAmPELB8uaVhSkg
+-> ssh-ed25519 /vwQcQ 2mD6dstuZmOkYlBajNevQkeCYAGWshp0h0F1TzdcJSY
+pzjxW+RZDSqPAHm+c5cMJZOdIfkwTmSLw2BktGh/kHk
+-> ssh-ed25519 0R97PA /vOiTSDwQVYTX+tFuJD0M8Enk+4b0ViZUnrZ/WhUKiI
+83r35uyZ/XELwTXZXzlU1yq+xzsNTUYNwK9aGGlOSAA
+-> ssh-ed25519 JGx7Ng V6Xnn5q1hSvWHjiWtWJAD7as5N2fdtWNKWi3JwhfYgQ
+aL3fX67spVrgguVtNNrfJ20fy3LRaDgMZldw5D1fKuE
+-> ssh-ed25519 bUjjig RdTpxQYpmEtG2Cn1EACf85/ZynfPbZhGfoSF+sfw1AA
+YovrKYRtwRPco3luRBVA0IA1qAq1jKxoS1UdoouhLGE
+-> ssh-ed25519 VQSaNw F4hYo2UaLzV8leVHx/oY9aIcZkZ9Fap5HiuTvZy+Hko
+Qwf9JDKqLXmIzId7gAtG5ERirfwZlQWCV6YiKgbexS4
+-> v>[->`-grease O {|u& 2o9 {w&!Ev
+jZPBNd6e20KQYli80kXK9D+qfmIVbOw9Y0aKXB3uvyNJPWDOoYTbzanjeXLuJdN+
+pB/fgMX7znIg+VP87n2qMR5jFVj/x4g4vNgKTUtglw
+--- j4kt4DFy3r3y6IMvNakNkmlkeb6iHYI5xAK8CZtbPD4
+EWS¦|p^/<2F> Ž?„<7F>Np%‚åeFU/>Ží¸0bccývr(ˆ‰Œº
+“.èýVŸdgðáADZ3"® ‡Ù(½\5Ó§q<

machines/web03/secrets/secrets.nix

@@ -1,6 +1,14 @@
 (import ../../../keys).mkSecrets [ "web03" ] [
   # List of secrets for web03
+  "dj_annuaire-secret_key_file"
+  "dj_bocal-secret_key_file"
+  "dj_gestiojeux-secret_key_file"
   "dj_interludes-email_host_password_file"
   "dj_interludes-secret_key_file"
+  "dj_wikiens-secret_key_file"
+  "webhook-annuaire_token"
+  "webhook-bocal_token"
+  "webhook-gestiojeux_token"
   "webhook-interludes_token"
+  "webhook-wikiens_token"
 ]

machines/web03/secrets/webhook-annuaire_token

@@ -0,0 +1,29 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA NovhLzllQnEbnI7bno+zDoSRFJyZMfVVYPQMReUIymw
+sefGtZ8fbYVqtKgMhrEj9AlwP70YM5MGkQ+o8Dmfb/Q
+-> ssh-ed25519 QlRB9Q 9mh3vQVo5tPorLYBVCcZUJOlcEftQKA94PxNhh+pDwg
+GXM67qitYqnxbFoHbsfa1lNNLIahPqshosIY7h0fDBA
+-> ssh-ed25519 r+nK/Q BOXck7k9AH+KvmoicI/fmGzWcna0nwnJ+uyteUjIukE
+Hyts1/6EAdruuBilhifl/HwPTWEBe+Kr1RL6SDjHaaM
+-> ssh-rsa krWCLQ
+1ROqUHCkbkEgRTQUha0cVJVAqLu0nvfKik9yI392sbEQYgmpuf7F0gzA97BXcoi3
+2BdZWu/cJ6m6bfMvXdZ04cUjRcNrnpPHsoqie3G9s9p6aa9XIrLO5K6kH7S6f5DZ
+pZdOqfSYldtJKRx7F8k0D/pscN5qB1Tb1x0CIULJVo7uKf9X1MnZwapOOCY2q40U
+Ip2aefr40h3EO7jBlswx2/fB8aqW95BR4JQzJZ/uiIsBUQDqvn39GU7R0JaLdAPB
+6kJXaJ3ORaDDtslcaAVZWLqFbOlINXYHr/mqYNTZMubE4BmNjvJL3aRozQQWraoJ
+q5rDvgwUXVhpGpcaNf4/xw
+-> ssh-ed25519 /vwQcQ FHYnfCad1imFiV5tRIfe9mtJ2ouiu2l19th2UD7j3gw
+Xu+Sk9GEQ9Wyf7iU790yxv80vLYHp2StArPkfRqfRhI
+-> ssh-ed25519 0R97PA etwCsiGmvzufJGMw8aDN+M931lPlE9fTUBQmk0X4DFk
+o6xJbfNjQ3Lko1MSJ9JBu6FefZ8267dZ+vL1Gpd1eH8
+-> ssh-ed25519 JGx7Ng h0XzejD/c5F2M7sWS4vTQL9OoRG73ACwlWCtK51Dcyo
+diMDy201IpwL6Ec+Zb4pH5f1yyMOMHT3jg6yriopCRU
+-> ssh-ed25519 bUjjig 2Oh5FhWfrbA9c5TisXuxasyYF41YOlNdurZR9QowETA
+706/MLiPT9+9xHZPZQYtvKm8zbN5qS/9XJ+TK15etIs
+-> ssh-ed25519 VQSaNw YbtnCoySon7jNBq7IFOl8UfxuJXRjzLrgXp238q4RRE
+10au0QwFP9ntPMU4u2bMl3KLYBIPy09xVoKNLxWvpw0
+-> Vu-grease !oqb p1-QmV
+i1WmaOmxmdAX/se60fnUL41n57c8tN1gnUjjBjSV7GkQGzhKnxTplJTUpifP9Js3
+8D+xe86sN2l2JQ5R9QFOAbsvSa5eXSo
+--- JE+yvBRH9Jz6Sdz46AzWuhVI0kXWObODKSiNWz5L9As
+_n´(I	6ÔÃPèCa\³U¼=é@ “†?6—P[Tò³ñˆjk<6A>0ãrÒ…°“ƒ¼-É(]/³a¿É
õ8¶=é¤i²<69>

machines/web03/secrets/webhook-bocal_token

@@ -0,0 +1,29 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA Ju7YL9wvvYr9VPLmYtYTniyuj9JTVqe2V8eRLISkIH8
+EJjZPLOhspyyrx7a+fYlPPH+1pr93KzW7E2Ztkic0cY
+-> ssh-ed25519 QlRB9Q X+TAfiEk1d67rkz6CgIO66bBrahY39ZTnmj0cBGGrSo
+kBLFu6DnN7rIzP3mSlPEc+yBN+yU5toLeA069vuNW6g
+-> ssh-ed25519 r+nK/Q wcXXCuAS9bOp3GM6c0pU7sxpylFEHFPmnibQTEwJ1x4
+fR41b7fhZCzuNP1jst3vx3wUjIkBDsz54VzubwNX6+M
+-> ssh-rsa krWCLQ
+ySG+OgB3gMW/ijdWqlGr1LnkfqeFD53ChxkOUfAe4+Z1VsK0FkVaBmqvW38SFMw9
+S4dcOkO6Km8umsaZBZi2QaItm+p8Rf/j7+W2WZPoyoKE1l1KW1ic/wGOY7uqeucn
+YZRq7rWX+DaH2VLbkl12wUlVgYwJGcH6VrpRizbq2z0jcdTak6hgzcXo7WhcNAit
+DY8W8X5Zv34mpj1VO7n2LJs5V7gzfSLq+KVMIi++QphVv2VkFpvaOqlEP2neVXnV
+C3YNJTkVx+R6wANCao+9a5VHC261Bkm81dKgzceW2OCHkwOP6XTbDpj59sMRxRuU
+B7jrvre5S1WZN9jc16Dv/Q
+-> ssh-ed25519 /vwQcQ TW560PIrbJV3ZB55w+EvH2PEYOoYM93x3aaeeShYKE8
+LC6pydBK3yCq/Vs7MUoa0xjDSn3WjRaZuqwvhX24YJQ
+-> ssh-ed25519 0R97PA zyerO6EIwW90XVSBVP3Y/7Q8hK+7uPe6kKENGCdDJRw
+WEpgo8Y64YXnat1OJU5qtpecf+Zu2P2LmB7DEtmUuAU
+-> ssh-ed25519 JGx7Ng 7h4q8ztQ0BFJSfavV4l1pKjbNRZveOPIJG0KF98vh28
+mYcUEL4n2+bkjpvJylIvzXSxoa71YZKMSgN21ONnvko
+-> ssh-ed25519 bUjjig 9wKWtLWD+9LlAOO24iQiOdvpSDIWpL6Xo0Wt3QOLIQY
+Kq2QLFB7E5tiqZQlsn5pZRM52v8XqUyYsvwNHXZspRs
+-> ssh-ed25519 VQSaNw 3tJNtvi0WK9iAzx3Q7Q0Ogj1TGH0Zrm5v0ERhQILBVk
+4232/j+xnbhQpId7ZS6+xAQBDxtumeOp4c1HVeMRqB4
+-> Pug13&(-grease 'w0JG}JF .t`9lMF v)8}4qW
+yRriwE//abKvQgu962F7URbOAiHDFMipnsq22itGkLDvmwIRY6Bi83xOzx72EV4y
+27GNdxQOni+z8NPt0YTskqq4fHfZky/EMFUvXTfteB7izYxEliHLRKA
+--- JNvexaDwzwOIUCxanJRLunfhBh1/PE8ssFCytr8nPjo
+TX¹Þ‚xòšd˜~KS?ìIò…C
eþ—3ÑJõ	¹ŸýCíÓF6qœv~Dùq¢T<>©55€bjˆf›Õ5”ñëã"ø£ÅŽp

machines/web03/secrets/webhook-gestiojeux_token

@@ -0,0 +1,29 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA dBBF9o4SBTHNv495PFZa6dszbs9nEARwg0EfOlfFwhc
+GkqX8sjLqFHGm4UA+zyVRB7FGGgAxilFYHarEQB0YAk
+-> ssh-ed25519 QlRB9Q DEu91DA+qho3Zs3gSQbWH/hOKUfgP5Qd90+9ZzYs1So
+aIw1ygo/e0tpqW2N27Fl8WRe362ronzqy52vSzD35Tc
+-> ssh-ed25519 r+nK/Q JUurf12UYuJKvKusUh/GOJryFbA8lWaS8v+/pRb0kys
+VsgsBSwjBXTD+tmP3jxCPVeDY7AHVFx5o57y+ubEjts
+-> ssh-rsa krWCLQ
+o08ZnFZIj37p5hpWgl8FXwPwHKjoBD7Z0UxMRsF4CUF0sLOpwVHD4L57hAA8a80S
+063e48OJ5OsrtueqqJwPT+wjXfmEarLUqC+rP0X+JDW8OLwSImBcYC5DQJZLUFSK
+doF8S8Bo0MbuB4eKnXUAJlhdZOk/iqYK8TYuuSIwWQxHwF/fT43hrYIkj6lmqdmG
+IqSXA04KpQFoL15INIAtsnj5xXJlI0gCPp0pxMNUmVyTTrNLfaEiKH191D+Elmjd
+xcdvMX1yzIPI/mI/+/OjeYspijY0XpRHLJ9ljfEK7E2N8IgpyzBx2BzxYhRHoQmi
+6SbZu9Tirw+yv5wv8oIaHA
+-> ssh-ed25519 /vwQcQ M6QID8DMaFMnF97UWwbSYJ7Sh0wvj/fq7cszu82/oHI
+T+aT4NCbVfGXnvPK7w8fbojAwDTE41h40q0tDwnGyhE
+-> ssh-ed25519 0R97PA XyZvyy80nv2tGe1fBzM0LeiIAGuyV22CzBoCPFMMrw8
+9VPiRV3GCWbH1So5LBrjBeRzEtErPM7BwOF/zaD/yGk
+-> ssh-ed25519 JGx7Ng OPlQBKO+Wub+PPMNPoRGWTeSZfGF3kYCD8HLbLbPR0k
+ZhBUT5ig0FnLCau+da9bfEkVjFxfZXG0mXW1o0yZ+JQ
+-> ssh-ed25519 bUjjig T5/dZtIRaXmNg8pajSAM76cVANM7MvQ7f32fz2fEqx0
++6kRffMJX+8QAOf5jA5acGihgw4q8yJda0EzVGePD+I
+-> ssh-ed25519 VQSaNw InflFPtAwYwQFWqd+KK+ILwMa0XTNkVB+xEMtUXW8Us
+XZ6LVMCpvq+QBo0EHAlnC8uBhQssixTLVCpul6ov4Dk
+-> YKmn+c&-grease EA5d$ ="1d }cP
+3u46NE2SdfO9ugNN/41PeU/65CRgmDiO54B9ZQLNRQtVyyLlcmvaYHCQach+s+Rs
+tE0Gc8MD23hPw5ZhWj0nq7xF8VHtRQSTLQ
+--- UkbfAVgnLkeg6Zdb3bsdPtx9Wh6HOjdB+qmTvrAWFuE
+5_E¼ñ/e)±žÑÊC×7Ú›ÈY<C388>wPŽöTášt6>l_0:[èP»ÎH5·¼j—<6A>€P˸â=vèFýÉIÄ4¹ÿÏD쪘ýp£§