vault backup cron in nomad
This commit is contained in:
vincent
parent
c8a1ba34f3
commit
9d44ad59c7
@ -17,8 +17,6 @@ wireguard_postdown:
|
|||||||
- iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE
|
- iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE
|
||||||
consul_snapshot: True
|
consul_snapshot: True
|
||||||
|
|
||||||
vault_snapshot: true
|
|
||||||
vault_backup_location: "/mnt/diskstation/git/backup/vault"
|
|
||||||
partition_table:
|
partition_table:
|
||||||
- device: "/dev/sda"
|
- device: "/dev/sda"
|
||||||
label: gpt
|
label: gpt
|
||||||
|
|||||||
@ -13,5 +13,3 @@ wireguard_postdown:
|
|||||||
- iptables -D FORWARD -o wg0 -j ACCEPT
|
- iptables -D FORWARD -o wg0 -j ACCEPT
|
||||||
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||||
consul_snapshot: True
|
consul_snapshot: True
|
||||||
vault_snapshot: True
|
|
||||||
vault_backup_location: "/mnt/diskstation/git/backup/vault"
|
|
||||||
|
|||||||
49
nomad-job/vault-backup.nomad
Normal file
49
nomad-job/vault-backup.nomad
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
|
||||||
|
job "vault-backup" {
|
||||||
|
datacenters = ["homelab"]
|
||||||
|
priority = 50
|
||||||
|
type = "batch"
|
||||||
|
meta {
|
||||||
|
forcedeploy = "0"
|
||||||
|
}
|
||||||
|
|
||||||
|
constraint {
|
||||||
|
attribute = "${attr.cpu.arch}"
|
||||||
|
value = "amd64"
|
||||||
|
}
|
||||||
|
periodic {
|
||||||
|
crons = ["30 3 * * *"]
|
||||||
|
prohibit_overlap = true
|
||||||
|
}
|
||||||
|
group "vault-backup" {
|
||||||
|
network {
|
||||||
|
mode = "host"
|
||||||
|
}
|
||||||
|
vault {
|
||||||
|
policies = ["vault-backup"]
|
||||||
|
}
|
||||||
|
task "vault-backup" {
|
||||||
|
driver = "docker"
|
||||||
|
config {
|
||||||
|
image = "ducampsv/docker-vault-backup:latest"
|
||||||
|
volumes = [
|
||||||
|
"/mnt/diskstation/git/backup/vault:/backup"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
template {
|
||||||
|
data = <<EOH
|
||||||
|
{{ with secret "secrets/data/nomad/vault-backup"}}
|
||||||
|
VAULT_APPROLEID = "{{ .Data.data.VAULT_APPROLEID }}"
|
||||||
|
VAULT_SECRETID = "{{ .Data.data.VAULT_SECRETID }}"
|
||||||
|
{{end}}
|
||||||
|
EOH
|
||||||
|
destination = "secrets/secrets.env"
|
||||||
|
env = true
|
||||||
|
}
|
||||||
|
resources {
|
||||||
|
memory = 100
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -22,6 +22,7 @@ locals {
|
|||||||
"vikunja",
|
"vikunja",
|
||||||
"ghostfolio",
|
"ghostfolio",
|
||||||
"alertmanager",
|
"alertmanager",
|
||||||
|
"vault-backup"
|
||||||
]
|
]
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -95,6 +95,26 @@ data "vault_policy_document" "admin_policy" {
|
|||||||
path = "secrets/*"
|
path = "secrets/*"
|
||||||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||||
}
|
}
|
||||||
|
rule {
|
||||||
|
path = "database/*"
|
||||||
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||||
|
}
|
||||||
|
rule {
|
||||||
|
path = "pki/*"
|
||||||
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||||
|
}
|
||||||
|
rule {
|
||||||
|
path = "ssh/*"
|
||||||
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||||
|
}
|
||||||
|
rule {
|
||||||
|
path = "nomad/*"
|
||||||
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||||
|
}
|
||||||
|
rule {
|
||||||
|
path = "consul/*"
|
||||||
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||||
|
}
|
||||||
rule {
|
rule {
|
||||||
path = "sys/mounts/*"
|
path = "sys/mounts/*"
|
||||||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user