vault backup cron in nomad

This commit is contained in:
vincent 2023-11-01 18:58:42 +01:00
parent c8a1ba34f3
commit 9d44ad59c7
5 changed files with 70 additions and 4 deletions

View File

@ -17,8 +17,6 @@ wireguard_postdown:
- iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE
consul_snapshot: True
vault_snapshot: true
vault_backup_location: "/mnt/diskstation/git/backup/vault"
partition_table:
- device: "/dev/sda"
label: gpt

View File

@ -13,5 +13,3 @@ wireguard_postdown:
- iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
consul_snapshot: True
vault_snapshot: True
vault_backup_location: "/mnt/diskstation/git/backup/vault"

View File

@ -0,0 +1,49 @@
job "vault-backup" {
datacenters = ["homelab"]
priority = 50
type = "batch"
meta {
forcedeploy = "0"
}
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
periodic {
crons = ["30 3 * * *"]
prohibit_overlap = true
}
group "vault-backup" {
network {
mode = "host"
}
vault {
policies = ["vault-backup"]
}
task "vault-backup" {
driver = "docker"
config {
image = "ducampsv/docker-vault-backup:latest"
volumes = [
"/mnt/diskstation/git/backup/vault:/backup"
]
}
template {
data = <<EOH
{{ with secret "secrets/data/nomad/vault-backup"}}
VAULT_APPROLEID = "{{ .Data.data.VAULT_APPROLEID }}"
VAULT_SECRETID = "{{ .Data.data.VAULT_SECRETID }}"
{{end}}
EOH
destination = "secrets/secrets.env"
env = true
}
resources {
memory = 100
}
}
}
}

View File

@ -22,6 +22,7 @@ locals {
"vikunja",
"ghostfolio",
"alertmanager",
"vault-backup"
]
}

View File

@ -95,6 +95,26 @@ data "vault_policy_document" "admin_policy" {
path = "secrets/*"
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
rule {
path = "database/*"
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
rule {
path = "pki/*"
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
rule {
path = "ssh/*"
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
rule {
path = "nomad/*"
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
rule {
path = "consul/*"
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
rule {
path = "sys/mounts/*"
capabilities = ["create", "read", "update", "delete", "list", "sudo"]