vault policy segmentation

This commit is contained in:
vincent 2022-10-30 09:33:39 +01:00
parent a3abcb41a3
commit bb1bb51b4a
22 changed files with 103 additions and 68 deletions

View File

@ -4,27 +4,27 @@ postgresql_users:
role_attr_flags: SUPERUSER
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:root')}}"
- name: wikijs
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:wikijs')}}"
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/wikijs:password')}}"
- name: ttrss
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:ttrss')}}"
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/ttrss:password')}}"
- name: gitea
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:gitea')}}"
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/gitea:password')}}"
- name: supysonic
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:supysonic')}}"
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/supysonic:password')}}"
- name: hass
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:hass')}}"
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/homeassistant:password')}}"
- name: nextcloud
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:nextcloud')}}"
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/nextcloud:password')}}"
- name: vaultwarden
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:vaultwarden')}}"
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/vaultwarden:password')}}"
- name: drone
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:drone')}}"
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/droneCI:password')}}"
- name: dendrite
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:dendrite')}}"
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/dendrite:password')}}"
- name: paperless
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:paperless')}}"
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/paperless:password')}}"
- name: dump
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:dump')}}"
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/dump:passwod')}}"
postgresql_databases:
- name: wikijs

View File

@ -20,7 +20,7 @@ job "backup-postgress" {
mode = "host"
}
vault {
policies = ["access-tables"]
policies = ["dump"]
}
task "backup" {
driver = "docker"
@ -45,7 +45,7 @@ job "backup-postgress" {
env = true
}
resources {
memory = 25
memory = 50
}
}

View File

@ -6,7 +6,7 @@ job "crowdsec-agent" {
forcedeploy = "2"
}
vault {
policies = ["access-tables"]
policies = ["crowdsec"]
}
@ -69,7 +69,7 @@ EOH
data = <<EOH
LOCAL_API_URL = {{- range service "crowdsec-api" }} "http://{{ .Address }}:{{ .Port }}"{{- end }}
AGENT_USERNAME = "{{ env "node.unique.name" }}"
{{with secret "secrets/data/crowdsec"}}
{{with secret "secrets/data/nomad/crowdsec"}}
AGENT_PASSWORD = "{{.Data.data.AGENT_PASSWORD}}"
{{end}}
EOH

View File

@ -5,7 +5,7 @@ job "crowdsec-api" {
forcedeploy = "-1"
}
vault {
policies = ["access-tables"]
policies = ["crowdsec"]
}
group "crowdsec-api" {
network {
@ -45,7 +45,7 @@ job "crowdsec-api" {
template {
data = <<EOH
DISABLE_AGENT = "true"
{{with secret "secrets/data/crowdsec"}}
{{with secret "secrets/data/nomad/crowdsec"}}
AGENT_USERNAME = "{{.Data.data.AGENT_USERNAME}}"
AGENT_PASSWORD = "{{.Data.data.AGENT_PASSWORD}}"
{{end}}

View File

@ -17,7 +17,7 @@ job "matrix" {
}
}
vault{
policies= ["access-tables"]
policies= ["dendrite"]
}
task "dendrite" {
@ -63,8 +63,8 @@ global:
database:
{{ with secret "secrets/data/dendrite"}}
connection_string: postgresql://dendrite:{{.Data.data.databasePass}}@db1.ducamps.win/dendrite?sslmode=disable
{{ with secret "secrets/data/database/dendrite"}}
connection_string: postgresql://dendrite:{{.Data.data.password}}@db1.ducamps.win/dendrite?sslmode=disable
{{end}}
max_open_conns: 100

View File

@ -17,7 +17,7 @@ job "wikijs" {
}
}
vault{
policies= ["access-tables"]
policies= ["wikijs"]
}
task "wikijs" {
@ -54,12 +54,12 @@ job "wikijs" {
template {
data= <<EOH
{{ with secret "secrets/data/wikijs"}}
{{ with secret "secrets/data/database/wikijs"}}
DB_TYPE="postgres"
DB_HOST="db1.ducamps.win"
DB_PORT="5432"
DB_USER="wikijs"
DB_PASS="{{.Data.data.DB_PASS}}"
DB_PASS="{{.Data.data.password}}"
DB_NAME="wikijs"
{{end}}
EOH

View File

@ -2,7 +2,7 @@ job "drone" {
datacenters = ["homelab"]
type = "service"
vault {
policies = ["access-tables"]
policies = ["droneci"]
}
@ -50,18 +50,21 @@ job "drone" {
}
template {
data = <<EOH
{{ with secret "secrets/data/droneCI"}}
{{ with secret "secrets/data/nomad/droneCI"}}
DRONE_GITEA_SERVER="https://git.ducamps.win"
DRONE_GITEA_CLIENT_ID="{{ .Data.data.DRONE_GITEA_CLIENT_ID }}"
DRONE_GITEA_CLIENT_SECRET="{{ .Data.data.DRONE_GITEA_CLIENT_SECRET }}"
DRONE_GITEA_ALWAYS_AUTH="True"
DRONE_USER_CREATE="username:vincent,admin:true"
DRONE_DATABASE_DRIVER="postgres"
DRONE_DATABASE_DATASOURCE="postgres://drone:{{ .Data.data.DRONE_DB_PASSWORD }}@db1.ducamps.win:5432/drone?sslmode=disable"
DRONE_RPC_SECRET="{{ .Data.data.DRONE_RPC_SECRET }}"
DRONE_SERVER_HOST="drone.ducamps.win"
DRONE_SERVER_PROTO="https"
{{end}}
{{ with secret "secrets/data/database/droneCI"}}
DRONE_DATABASE_DATASOURCE="postgres://drone:{{ .Data.data.password }}@db1.ducamps.win:5432/drone?sslmode=disable"
{{end}}
EOH
destination = "local/drone.env"
env = true
@ -84,7 +87,7 @@ job "drone" {
}
template {
data = <<EOH
{{ with secret "secrets/data/droneCI"}}
{{ with secret "secrets/data/nomad/droneCI"}}
DRONE_RPC_HOST="drone.ducamps.win"
DRONE_RPC_PROTO="https"
DRONE_RPC_SECRET= "{{ .Data.data.DRONE_RPC_SECRET}}"
@ -117,7 +120,7 @@ job "drone" {
}
template {
data = <<EOH
{{ with secret "secrets/data/droneCI"}}
{{ with secret "secrets/data/nomad/droneCI"}}
DRONE_RPC_HOST="drone.ducamps.win"
DRONE_RPC_PROTO="https"
DRONE_RPC_SECRET= "{{ .Data.data.DRONE_RPC_SECRET}}"

View File

@ -13,7 +13,7 @@ job "git" {
}
}
vault {
policies = ["access-tables"]
policies = ["gitea"]
}
task "gitea" {
driver = "docker"
@ -77,12 +77,15 @@ job "git" {
}
template {
data = <<EOH
{{ with secret "secrets/data/gitea"}}
GITEA__database__PASSWD = "{{.Data.data.PASSWD}}"
{{ with secret "secrets/data/nomad/gitea"}}
GITEA__security__SECRET_KEY = "{{.Data.data.secret_key}}"
GITEA__oauth2__JWT_SECRET = "{{.Data.data.jwt_secret}}"
GITEA__security__INTERNAL_TOKEN = "{{.Data.data.internal_token}}"
{{end}}
{{ with secret "secrets/data/database/gitea"}}
GITEA__database__PASSWD = "{{.Data.data.password}}"
{{end}}
EOH
destination = "secrets/gitea.env"
env = true

View File

@ -22,10 +22,6 @@ job "homeassistant" {
static = 5683
}
}
vault {
policies = ["access-tables"]
}

View File

@ -23,7 +23,7 @@ job "paperless-ng" {
}
}
vault {
policies = ["access-tables"]
policies = ["paperless"]
}
task "redis" {
@ -85,7 +85,7 @@ job "paperless-ng" {
template {
data = <<EOH
PAPERLESS_DBPASS= {{ with secret "secrets/data/paperless"}}{{.Data.data.DB_PASSWORD }}{{end}}
PAPERLESS_DBPASS= {{ with secret "secrets/data/database/paperless"}}{{.Data.data.password }}{{end}}
EOH
destination = "secrets/paperless.env"
env = true

View File

@ -50,7 +50,7 @@ job "pihole" {
}
vault {
policies = ["access-tables"]
policies = ["pihole"]
}
env {
@ -61,7 +61,7 @@ job "pihole" {
}
template {
data = <<EOH
WEBPASSWORD="{{with secret "secrets/data/pihole"}}{{.Data.data.WEBPASSWORD}}{{end}}"
WEBPASSWORD="{{with secret "secrets/data/nomad/pihole"}}{{.Data.data.WEBPASSWORD}}{{end}}"
EOH
destination = "local/file.env"
change_mode = "noop"

View File

@ -18,7 +18,7 @@ job "prometheus" {
mode = "fail"
}
vault {
policies = ["access-tables"]
policies = ["prometheus"]
}
ephemeral_disk {
@ -91,7 +91,7 @@ scrape_configs:
scrape_interval: 60s
metrics_path: /api/prometheus
authorization:
credentials: {{ with secret "secrets/data/prometheus"}}'{{ .Data.data.hass_token }}'{{end}}
credentials: {{ with secret "secrets/data/nomad/prometheus"}}'{{ .Data.data.hass_token }}'{{end}}

View File

@ -12,10 +12,6 @@ job "radicale" {
to = 5232
}
}
vault {
policies = ["access-tables"]
}
task "radicale" {
driver = "docker"
service {

View File

@ -20,7 +20,7 @@ job "seedboxsync" {
mode = "host"
}
vault {
policies = ["access-tables"]
policies = ["seedbox"]
}
task "server" {
driver = "docker"
@ -45,7 +45,7 @@ job "seedboxsync" {
}
template {
data = <<EOH
{{ with secret "secrets/data/seedbox"}}
{{ with secret "secrets/data/nomad/seedbox"}}
USERNAME = "{{ .Data.data.username }}"
PASSWORD = "{{ .Data.data.password }}"
REMOTE_PATH = "{{ .Data.data.remote_path }}"

View File

@ -21,7 +21,7 @@ job "supysonic" {
}
}
vault {
policies = ["access-tables"]
policies = ["supysonic"]
}
service {
@ -107,8 +107,8 @@ http {
template {
data = <<EOH
{{ with secret "secrets/data/supysonic"}}
SUPYSONIC_DB_URI = "postgres://supysonic:{{ .Data.data.db_password}}@db1.ducamps.win/supysonic"
{{ with secret "secrets/data/database/supysonic"}}
SUPYSONIC_DB_URI = "postgres://supysonic:{{ .Data.data.password}}@db1.ducamps.win/supysonic"
{{end}}
EOH
destination = "secrets/supysonic.env"

View File

@ -19,10 +19,6 @@ job "syncthing" {
static = 21027
}
}
vault {
policies = ["access-tables"]
}
task "syncthing" {
driver = "docker"
service {

View File

@ -26,7 +26,7 @@ job "traefik-ingress" {
}
}
vault {
policies = ["access-tables"]
policies = ["gandi"]
}
task "traefik" {
driver = "docker"
@ -73,7 +73,7 @@ job "traefik-ingress" {
}
template {
data = <<EOH
GANDIV5_API_KEY = "{{with secret "secrets/data/gandi"}}{{.Data.data.API_KEY}}{{end}}"
GANDIV5_API_KEY = "{{with secret "secrets/data/nomad/gandi"}}{{.Data.data.API_KEY}}{{end}}"
EOH
destination = "secrets/gandi.env"
env = true

View File

@ -19,7 +19,7 @@ job "traefik-local" {
}
}
vault {
policies = ["access-tables"]
policies = ["gandi"]
}
task "traefik" {
@ -67,7 +67,7 @@ job "traefik-local" {
}
template {
data = <<EOH
GANDIV5_API_KEY = "{{with secret "secrets/data/gandi"}}{{.Data.data.API_KEY}}{{end}}"
GANDIV5_API_KEY = "{{with secret "secrets/data/nomad/gandi"}}{{.Data.data.API_KEY}}{{end}}"
EOH
destination = "secrets/gandi.env"
env = true

View File

@ -24,7 +24,7 @@ job "tt-rss" {
}
}
vault {
policies = ["access-tables"]
policies = ["ttrss"]
}
service {
name = "tt-rss"
@ -65,8 +65,8 @@ job "tt-rss" {
}
template {
data = <<EOH
{{ with secret "secrets/data/ttrss"}}
TTRSS_DB_PASS = "{{ .Data.data.DB_PASS }}"
{{ with secret "secrets/data/database/ttrss"}}
TTRSS_DB_PASS = "{{ .Data.data.password }}"
{{end}}
EOH
destination = "secrets/tt-rss.env"
@ -97,8 +97,8 @@ job "tt-rss" {
}
template {
data = <<EOH
{{ with secret "secrets/data/ttrss"}}
TTRSS_DB_PASS = "{{ .Data.data.DB_PASS }}"
{{ with secret "secrets/data/database/ttrss"}}
TTRSS_DB_PASS = "{{ .Data.data.password }}"
{{end}}
EOH
destination = "secrets/tt-rss.env"

View File

@ -14,7 +14,7 @@ job "vaultwarden" {
}
}
vault {
policies = ["access-tables"]
policies = ["vaultwarden"]
}
task "vaultwarden" {
@ -64,8 +64,8 @@ job "vaultwarden" {
template {
data = <<EOH
{{ with secret "secrets/data/vaultwarden"}}
DATABASE_URL=postgresql://vaultwarden:{{ .Data.data.DB_PASSWORD }}@db1.ducamps.win/vaultwarden
{{ with secret "secrets/data/database/vaultwarden"}}
DATABASE_URL=postgresql://vaultwarden:{{ .Data.data.password }}@db1.ducamps.win/vaultwarden
{{end}}
EOH
destination = "secrets/vaultwarden.env"

View File

@ -8,8 +8,26 @@ provider vault {
}
locals {
allowed_policies= [
"access-tables"
allowed_policies= concat(local.nomad_policy, [
])
nomad_policy=[
"crowdsec",
"dump",
"dentrite",
"droneCI",
"gandi",
"gitea",
"nextcloud",
"paperless",
"pihole",
"prometheus",
"rsyncd",
"seedbox",
"supysonic",
"ttrss",
"vaultwarden",
"wikijs",
]
}
@ -22,6 +40,24 @@ resource "vault_token_auth_backend_role" "nomad-cluster" {
allowed_policies = local.allowed_policies
}
data "vault_policy_document" "nomad_jobs" {
for_each = toset(local.nomad_policy)
rule {
path = "secrets/data/nomad/${each.key}"
capabilities = ["read"]
}
rule {
path = "secrets/data/database/${each.key}"
capabilities = ["read"]
}
}
resource "vault_policy" "nomad_jobs" {
for_each = toset(local.nomad_policy)
name = each.key
policy = data.vault_policy_document.nomad_jobs[each.key].hcl
}
resource "vault_mount" "kvv2-secret" {

View File

@ -66,6 +66,11 @@ data "vault_policy_document" "ansible" {
path = "secrets/data/ansible"
capabilities = ["read", "list"]
}
rule {
path = "secrets/data/database"
capabilities = ["read", "list"]
}
}
resource "vault_policy" "ansible" {
name = "ansible"