first commit

2022-04-03 20:45:50 +02:00 · 2022-04-03 20:45:50 +02:00 · 36180489a7
commit 36180489a7
3 changed files with 116 additions and 0 deletions
--- a/pihole.nomad
+++ b/pihole.nomad
@ -0,0 +1,66 @@
+
+job "pihole" {
+  datacenters = ["homelab"]
+  type = "service"
+     constraint {
+     attribute = "${attr.unique.hostname}"
+     value     = "oscar"
+  }
+   group "pi-hole" {
+    network {
+      mode = "host"
+      port "dns" {
+        static       = 53
+      }
+      port "http" {
+        static       = 8090
+        to           = 80
+      }
+    }
+    service {
+        name = "pihole-gui"
+        tags = ["pihole", "admin"]
+        port = "http"
+    }
+    task "server" {
+      driver = "docker"
+      config {
+        image = "pihole/pihole:latest"
+        ports = [
+          "dns",
+          "http",
+        ]
+        volumes =[
+        "local/dnsmasq.d/02-localresolver.conf:/etc/dnsmasq.d/02-localresolver.conf",
+        "/mnt/diskstation/nomad/pihole:/etc/pihole"
+        ]
+
+      }
+    vault{
+      policies= ["access-tables"]
+
+    }
+    env {
+      TZ= "Europe/Paris"
+      DNS1= "1.1.1.1"
+      DNS2= "80.67.169.40"
+
+    }
+    template {
+      data = <<EOH
+        WEBPASSWORD="{{with secret "secrets/data/pihole"}}{{.Data.data.WEBPASSWORD}}{{end}}"
+        EOH
+        destination = "local/file.env"
+        env         = true
+    }
+     template{
+        data= <<EOH
+        server=/ducamps.win/192.168.1.10
+        server=/consul/172.17.0.1#8600
+        EOH
+        destination="local/dnsmasq.d/02-localresolver.conf"
+
+      }
+    }
+  }
+}
--- a/vault/nomad-cluster-role.json
+++ b/vault/nomad-cluster-role.json
@ -0,0 +1,9 @@
+{
+  "allowed_policies": "acces-tables",
+  "disallowed_policies": "",
+  "token_explicit_max_ttl": 0,
+  "name": "nomad-cluster",
+  "orphan": true,
+  "token_period": 259200,
+  "renewable": true
+}
--- a/vault/nomad-server-policy.hcl
+++ b/vault/nomad-server-policy.hcl
@ -0,0 +1,41 @@
+# Allow creating tokens under "nomad-cluster" token role. The token role name
+# should be updated if "nomad-cluster" is not used.
+path "auth/token/create/nomad-cluster" {
+  capabilities = ["update"]
+}
+
+# Allow looking up "nomad-cluster" token role. The token role name should be
+# updated if "nomad-cluster" is not used.
+path "auth/token/roles/nomad-cluster" {
+  capabilities = ["read"]
+}
+
+# Allow looking up the token passed to Nomad to validate # the token has the
+# proper capabilities. This is provided by the "default" policy.
+path "auth/token/lookup-self" {
+  capabilities = ["read"]
+}
+
+# Allow looking up incoming tokens to validate they have permissions to access
+# the tokens they are requesting. This is only required if
+# `allow_unauthenticated` is set to false.
+path "auth/token/lookup" {
+  capabilities = ["update"]
+}
+
+# Allow revoking tokens that should no longer exist. This allows revoking
+# tokens for dead tasks.
+path "auth/token/revoke-accessor" {
+  capabilities = ["update"]
+}
+
+# Allow checking the capabilities of our own token. This is used to validate the
+# token upon startup.
+path "sys/capabilities-self" {
+  capabilities = ["update"]
+}
+
+# Allow our own token to be renewed.
+path "auth/token/renew-self" {
+  capabilities = ["update"]
+}