vault backup cron in nomad
This commit is contained in:
parent
c8a1ba34f3
commit
9d44ad59c7
@ -17,8 +17,6 @@ wireguard_postdown:
|
||||
- iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE
|
||||
consul_snapshot: True
|
||||
|
||||
vault_snapshot: true
|
||||
vault_backup_location: "/mnt/diskstation/git/backup/vault"
|
||||
partition_table:
|
||||
- device: "/dev/sda"
|
||||
label: gpt
|
||||
|
@ -13,5 +13,3 @@ wireguard_postdown:
|
||||
- iptables -D FORWARD -o wg0 -j ACCEPT
|
||||
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||
consul_snapshot: True
|
||||
vault_snapshot: True
|
||||
vault_backup_location: "/mnt/diskstation/git/backup/vault"
|
||||
|
49
nomad-job/vault-backup.nomad
Normal file
49
nomad-job/vault-backup.nomad
Normal file
@ -0,0 +1,49 @@
|
||||
|
||||
job "vault-backup" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 50
|
||||
type = "batch"
|
||||
meta {
|
||||
forcedeploy = "0"
|
||||
}
|
||||
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
periodic {
|
||||
crons = ["30 3 * * *"]
|
||||
prohibit_overlap = true
|
||||
}
|
||||
group "vault-backup" {
|
||||
network {
|
||||
mode = "host"
|
||||
}
|
||||
vault {
|
||||
policies = ["vault-backup"]
|
||||
}
|
||||
task "vault-backup" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "ducampsv/docker-vault-backup:latest"
|
||||
volumes = [
|
||||
"/mnt/diskstation/git/backup/vault:/backup"
|
||||
]
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/nomad/vault-backup"}}
|
||||
VAULT_APPROLEID = "{{ .Data.data.VAULT_APPROLEID }}"
|
||||
VAULT_SECRETID = "{{ .Data.data.VAULT_SECRETID }}"
|
||||
{{end}}
|
||||
EOH
|
||||
destination = "secrets/secrets.env"
|
||||
env = true
|
||||
}
|
||||
resources {
|
||||
memory = 100
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
@ -22,6 +22,7 @@ locals {
|
||||
"vikunja",
|
||||
"ghostfolio",
|
||||
"alertmanager",
|
||||
"vault-backup"
|
||||
]
|
||||
|
||||
}
|
||||
|
@ -95,6 +95,26 @@ data "vault_policy_document" "admin_policy" {
|
||||
path = "secrets/*"
|
||||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||
}
|
||||
rule {
|
||||
path = "database/*"
|
||||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||
}
|
||||
rule {
|
||||
path = "pki/*"
|
||||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||
}
|
||||
rule {
|
||||
path = "ssh/*"
|
||||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||
}
|
||||
rule {
|
||||
path = "nomad/*"
|
||||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||
}
|
||||
rule {
|
||||
path = "consul/*"
|
||||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||
}
|
||||
rule {
|
||||
path = "sys/mounts/*"
|
||||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||
|
Loading…
Reference in New Issue
Block a user