From 9d44ad59c7dd7f280d1248a54e7473040718a325 Mon Sep 17 00:00:00 2001
From: vincent <vincent@ducamps.win>
Date: Wed, 1 Nov 2023 18:58:42 +0100
Subject: [PATCH] vault backup cron in nomad

---
 ansible/host_vars/oscar      |  2 --
 ansible/host_vars/oscar-dev  |  2 --
 nomad-job/vault-backup.nomad | 49 ++++++++++++++++++++++++++++++++++++
 vault/nomad.tf               |  1 +
 vault/policy.tf              | 20 +++++++++++++++
 5 files changed, 70 insertions(+), 4 deletions(-)
 create mode 100644 nomad-job/vault-backup.nomad

diff --git a/ansible/host_vars/oscar b/ansible/host_vars/oscar
index a88c9fc..553c716 100644
--- a/ansible/host_vars/oscar
+++ b/ansible/host_vars/oscar
@@ -17,8 +17,6 @@ wireguard_postdown:
   - iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE
 consul_snapshot: True
 
-vault_snapshot: true
-vault_backup_location: "/mnt/diskstation/git/backup/vault"
 partition_table:
   - device: "/dev/sda"
     label: gpt
diff --git a/ansible/host_vars/oscar-dev b/ansible/host_vars/oscar-dev
index d4edca3..225bc63 100644
--- a/ansible/host_vars/oscar-dev
+++ b/ansible/host_vars/oscar-dev
@@ -13,5 +13,3 @@ wireguard_postdown:
   - iptables -D FORWARD -o wg0 -j ACCEPT
   - iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 consul_snapshot: True
-vault_snapshot: True
-vault_backup_location: "/mnt/diskstation/git/backup/vault"
diff --git a/nomad-job/vault-backup.nomad b/nomad-job/vault-backup.nomad
new file mode 100644
index 0000000..5859ae8
--- /dev/null
+++ b/nomad-job/vault-backup.nomad
@@ -0,0 +1,49 @@
+
+job "vault-backup" {
+  datacenters = ["homelab"]
+  priority    = 50
+  type        = "batch"
+  meta {
+    forcedeploy = "0"
+  }
+
+  constraint {
+    attribute = "${attr.cpu.arch}"
+    value     = "amd64"
+  }
+  periodic {
+    crons             = ["30 3 * * *"]
+    prohibit_overlap = true
+  }
+  group "vault-backup" {
+    network {
+      mode = "host"
+    }
+    vault {
+      policies = ["vault-backup"]
+    }
+    task "vault-backup" {
+      driver = "docker"
+      config {
+        image = "ducampsv/docker-vault-backup:latest"
+        volumes = [
+          "/mnt/diskstation/git/backup/vault:/backup"
+        ]
+      }
+      template {
+        data        = <<EOH
+          {{ with secret "secrets/data/nomad/vault-backup"}}
+          VAULT_APPROLEID = "{{ .Data.data.VAULT_APPROLEID }}"
+          VAULT_SECRETID  = "{{ .Data.data.VAULT_SECRETID }}"
+          {{end}}
+        EOH
+        destination = "secrets/secrets.env"
+        env         = true
+      }
+      resources {
+        memory = 100
+      }
+    }
+
+  }
+}
diff --git a/vault/nomad.tf b/vault/nomad.tf
index 931244b..e47cf1e 100644
--- a/vault/nomad.tf
+++ b/vault/nomad.tf
@@ -22,6 +22,7 @@ locals {
     "vikunja",
     "ghostfolio",
     "alertmanager",
+    "vault-backup"
   ]
 
 }
diff --git a/vault/policy.tf b/vault/policy.tf
index d9549cd..86d8cf7 100644
--- a/vault/policy.tf
+++ b/vault/policy.tf
@@ -95,6 +95,26 @@ data "vault_policy_document" "admin_policy" {
     path = "secrets/*"
     capabilities = ["create", "read", "update", "delete", "list", "sudo"]
   }
+  rule {
+    path = "database/*"
+    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+  }
+  rule {
+    path = "pki/*"
+    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+  }
+  rule {
+    path = "ssh/*"
+    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+  }
+  rule {
+    path = "nomad/*"
+    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+  }
+  rule {
+    path = "consul/*"
+    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+  }
   rule {
     path = "sys/mounts/*"
     capabilities = ["create", "read", "update", "delete", "list", "sudo"]