2022-11-29 18:02:29 +00:00
|
|
|
locals {
|
2024-04-24 19:23:39 +00:00
|
|
|
allowed_policies= concat(local.nomad_policy,local.nomad_custom_policy[*].name)
|
2022-11-29 18:02:29 +00:00
|
|
|
|
|
|
|
nomad_policy=[
|
|
|
|
"crowdsec",
|
|
|
|
"dump",
|
|
|
|
"dentrite",
|
2023-08-25 08:15:06 +00:00
|
|
|
"droneci",
|
2023-09-17 16:28:12 +00:00
|
|
|
"traefik",
|
2022-11-29 18:02:29 +00:00
|
|
|
"gitea",
|
2024-05-10 13:50:45 +00:00
|
|
|
"grafana",
|
2022-11-29 18:02:29 +00:00
|
|
|
"nextcloud",
|
|
|
|
"paperless",
|
|
|
|
"pihole",
|
|
|
|
"prometheus",
|
|
|
|
"rsyncd",
|
|
|
|
"seedbox",
|
|
|
|
"supysonic",
|
|
|
|
"ttrss",
|
|
|
|
"vaultwarden",
|
|
|
|
"wikijs",
|
|
|
|
"vikunja",
|
2023-09-04 16:52:49 +00:00
|
|
|
"ghostfolio",
|
2023-10-07 15:34:17 +00:00
|
|
|
"alertmanager",
|
2023-11-04 20:33:51 +00:00
|
|
|
"vault-backup",
|
|
|
|
"pdns",
|
2023-12-23 19:51:05 +00:00
|
|
|
"ldap",
|
|
|
|
"borgmatic",
|
2024-04-28 14:10:43 +00:00
|
|
|
"mealie",
|
2024-05-10 06:18:53 +00:00
|
|
|
"immich",
|
2022-11-29 18:02:29 +00:00
|
|
|
]
|
2024-04-24 19:23:39 +00:00
|
|
|
nomad_custom_policy = [
|
|
|
|
{
|
|
|
|
name = "authelia",
|
|
|
|
policy=<<EOT
|
|
|
|
path "secrets/data/nomad/authelia" {
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
path "secrets/data/authelia/*" {
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
EOT
|
|
|
|
}
|
|
|
|
]
|
2022-11-29 18:02:29 +00:00
|
|
|
|
|
|
|
}
|
|
|
|
resource "vault_token_auth_backend_role" "nomad-cluster" {
|
|
|
|
role_name = "nomad-cluster"
|
|
|
|
orphan = true
|
|
|
|
renewable = true
|
|
|
|
token_explicit_max_ttl = "0"
|
|
|
|
token_period = "259200"
|
|
|
|
allowed_policies = local.allowed_policies
|
|
|
|
}
|
|
|
|
|
|
|
|
data "vault_policy_document" "nomad_jobs" {
|
|
|
|
for_each = toset(local.nomad_policy)
|
|
|
|
|
|
|
|
rule {
|
|
|
|
path = "secrets/data/nomad/${each.key}"
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
rule {
|
|
|
|
path = "secrets/data/nomad/${each.key}/*"
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
rule {
|
|
|
|
path = "secrets/data/database/${each.key}"
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
2024-04-24 19:23:39 +00:00
|
|
|
rule {
|
|
|
|
path = "secrets/data/authelia/${each.key}"
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
|
2022-11-29 18:02:29 +00:00
|
|
|
}
|
|
|
|
resource "vault_policy" "nomad_jobs" {
|
|
|
|
for_each = toset(local.nomad_policy)
|
|
|
|
|
|
|
|
name = each.key
|
|
|
|
policy = data.vault_policy_document.nomad_jobs[each.key].hcl
|
|
|
|
}
|
|
|
|
|
2024-04-24 19:23:39 +00:00
|
|
|
resource "vault_policy" "nomad_jobs_custom" {
|
|
|
|
for_each = {for policy in local.nomad_custom_policy: policy.name => policy}
|
2022-11-29 18:02:29 +00:00
|
|
|
|
2024-04-24 19:23:39 +00:00
|
|
|
name = each.value.name
|
|
|
|
policy = each.value.policy
|
|
|
|
}
|
2022-11-29 18:02:29 +00:00
|
|
|
|