add vault snapshot
Some checks reported errors
continuous-integration/drone/push Build was killed

This commit is contained in:
vincent 2023-08-27 17:06:45 +02:00
parent 42dbb13323
commit 27847f256b
4 changed files with 43 additions and 10 deletions

View File

@ -17,6 +17,10 @@ wireguard_postdown:
- iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE
consul_snapshot: True
vault_snapshot: true
vault_backup_location: "/mnt/diskstation/git/backup/vault"
vault_roleID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_approle') }}"
vault_secretID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_secretID') }}"
partition_table:
- device: "/dev/sda"
label: gpt

View File

@ -13,3 +13,7 @@ wireguard_postdown:
- iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
consul_snapshot: True
vault_snapshot: True
vault_backup_location: "/mnt/diskstation/git/backup/vault"
vault_roleID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_approle') }}"
vault_secretID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_secretID') }}"

View File

@ -1,13 +1,3 @@
data "vault_policy_document" "snapshot" {
rule {
path= "sys/storage/raft/snapshot"
capabilities = ["read"]
}
}
resource "vault_policy" "snapshot" {
name = "snapshot"
policy = data.vault_policy_document.snapshot.hcl
}
data "vault_policy_document" "nomad_server_policy" {
rule {
path = "auth/token/create/nomad-cluster"

35
vault/vault-snapshot.tf Normal file
View File

@ -0,0 +1,35 @@
resource "vault_approle_auth_backend_role" "vault-snapshot" {
backend = vault_auth_backend.approle.path
role_name = "vault-snapshot"
token_policies = ["vault-snapshot"]
}
data "vault_approle_auth_backend_role_id" "vault-snapshot" {
backend = vault_auth_backend.approle.path
role_name = vault_approle_auth_backend_role.vault-snapshot.role_name
}
output "vault-snapshot-role-id" {
value = data.vault_approle_auth_backend_role_id.vault-snapshot.role_id
}
data "vault_policy_document" "vault-snapshot" {
rule {
path = "sys/storage/raft/snapshot"
capabilities = ["read"]
}
}
resource "vault_policy" "vault-snapshot" {
name = "vault-snapshot"
policy = data.vault_policy_document.vault-snapshot.hcl
}
#resource "vault_approle_auth_backend_role_secret_id" "vault-snapshot" {
# backend = vault_auth_backend.approle.path
# role_name = vault_approle_auth_backend_role.vault-snapshot.role_name
#}