vault backup cron in nomad

2023-11-01 18:58:42 +01:00 · 2023-11-01 18:58:42 +01:00 · 9d44ad59c7
commit 9d44ad59c7
parent c8a1ba34f3
5 changed files with 70 additions and 4 deletions
--- a/ansible/host_vars/oscar
+++ b/ansible/host_vars/oscar
@ -17,8 +17,6 @@ wireguard_postdown:
  - iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE
 consul_snapshot: True

-vault_snapshot: true
-vault_backup_location: "/mnt/diskstation/git/backup/vault"
 partition_table:
  - device: "/dev/sda"
    label: gpt
--- a/ansible/host_vars/oscar-dev
+++ b/ansible/host_vars/oscar-dev
@ -13,5 +13,3 @@ wireguard_postdown:
  - iptables -D FORWARD -o wg0 -j ACCEPT
  - iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 consul_snapshot: True
-vault_snapshot: True
-vault_backup_location: "/mnt/diskstation/git/backup/vault"
--- a/nomad-job/vault-backup.nomad
+++ b/nomad-job/vault-backup.nomad
@ -0,0 +1,49 @@
+
+job "vault-backup" {
+  datacenters = ["homelab"]
+  priority    = 50
+  type        = "batch"
+  meta {
+    forcedeploy = "0"
+  }
+
+  constraint {
+    attribute = "${attr.cpu.arch}"
+    value     = "amd64"
+  }
+  periodic {
+    crons             = ["30 3 * * *"]
+    prohibit_overlap = true
+  }
+  group "vault-backup" {
+    network {
+      mode = "host"
+    }
+    vault {
+      policies = ["vault-backup"]
+    }
+    task "vault-backup" {
+      driver = "docker"
+      config {
+        image = "ducampsv/docker-vault-backup:latest"
+        volumes = [
+          "/mnt/diskstation/git/backup/vault:/backup"
+        ]
+      }
+      template {
+        data        = <<EOH
+          {{ with secret "secrets/data/nomad/vault-backup"}}
+          VAULT_APPROLEID = "{{ .Data.data.VAULT_APPROLEID }}"
+          VAULT_SECRETID  = "{{ .Data.data.VAULT_SECRETID }}"
+          {{end}}
+        EOH
+        destination = "secrets/secrets.env"
+        env         = true
+      }
+      resources {
+        memory = 100
+      }
+    }
+
+  }
+}
--- a/vault/nomad.tf
+++ b/vault/nomad.tf
@ -22,6 +22,7 @@ locals {
    "vikunja",
    "ghostfolio",
    "alertmanager",
+    "vault-backup"
  ]

 }
--- a/vault/policy.tf
+++ b/vault/policy.tf
@ -95,6 +95,26 @@ data "vault_policy_document" "admin_policy" {
    path = "secrets/*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
  }
+  rule {
+    path = "database/*"
+    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+  }
+  rule {
+    path = "pki/*"
+    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+  }
+  rule {
+    path = "ssh/*"
+    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+  }
+  rule {
+    path = "nomad/*"
+    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+  }
+  rule {
+    path = "consul/*"
+    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+  }
  rule {
    path = "sys/mounts/*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]