vault policy segmentation
This commit is contained in:
parent
a3abcb41a3
commit
bb1bb51b4a
@ -4,27 +4,27 @@ postgresql_users:
|
||||
role_attr_flags: SUPERUSER
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:root')}}"
|
||||
- name: wikijs
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:wikijs')}}"
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/wikijs:password')}}"
|
||||
- name: ttrss
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:ttrss')}}"
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/ttrss:password')}}"
|
||||
- name: gitea
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:gitea')}}"
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/gitea:password')}}"
|
||||
- name: supysonic
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:supysonic')}}"
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/supysonic:password')}}"
|
||||
- name: hass
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:hass')}}"
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/homeassistant:password')}}"
|
||||
- name: nextcloud
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:nextcloud')}}"
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/nextcloud:password')}}"
|
||||
- name: vaultwarden
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:vaultwarden')}}"
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/vaultwarden:password')}}"
|
||||
- name: drone
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:drone')}}"
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/droneCI:password')}}"
|
||||
- name: dendrite
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:dendrite')}}"
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/dendrite:password')}}"
|
||||
- name: paperless
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:paperless')}}"
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/paperless:password')}}"
|
||||
- name: dump
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:dump')}}"
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/dump:passwod')}}"
|
||||
|
||||
postgresql_databases:
|
||||
- name: wikijs
|
||||
|
@ -20,7 +20,7 @@ job "backup-postgress" {
|
||||
mode = "host"
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
policies = ["dump"]
|
||||
}
|
||||
task "backup" {
|
||||
driver = "docker"
|
||||
@ -45,7 +45,7 @@ job "backup-postgress" {
|
||||
env = true
|
||||
}
|
||||
resources {
|
||||
memory = 25
|
||||
memory = 50
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -6,7 +6,7 @@ job "crowdsec-agent" {
|
||||
forcedeploy = "2"
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
policies = ["crowdsec"]
|
||||
|
||||
}
|
||||
|
||||
@ -69,7 +69,7 @@ EOH
|
||||
data = <<EOH
|
||||
LOCAL_API_URL = {{- range service "crowdsec-api" }} "http://{{ .Address }}:{{ .Port }}"{{- end }}
|
||||
AGENT_USERNAME = "{{ env "node.unique.name" }}"
|
||||
{{with secret "secrets/data/crowdsec"}}
|
||||
{{with secret "secrets/data/nomad/crowdsec"}}
|
||||
AGENT_PASSWORD = "{{.Data.data.AGENT_PASSWORD}}"
|
||||
{{end}}
|
||||
EOH
|
||||
|
@ -5,7 +5,7 @@ job "crowdsec-api" {
|
||||
forcedeploy = "-1"
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
policies = ["crowdsec"]
|
||||
}
|
||||
group "crowdsec-api" {
|
||||
network {
|
||||
@ -45,7 +45,7 @@ job "crowdsec-api" {
|
||||
template {
|
||||
data = <<EOH
|
||||
DISABLE_AGENT = "true"
|
||||
{{with secret "secrets/data/crowdsec"}}
|
||||
{{with secret "secrets/data/nomad/crowdsec"}}
|
||||
AGENT_USERNAME = "{{.Data.data.AGENT_USERNAME}}"
|
||||
AGENT_PASSWORD = "{{.Data.data.AGENT_PASSWORD}}"
|
||||
{{end}}
|
||||
|
@ -17,7 +17,7 @@ job "matrix" {
|
||||
}
|
||||
}
|
||||
vault{
|
||||
policies= ["access-tables"]
|
||||
policies= ["dendrite"]
|
||||
|
||||
}
|
||||
task "dendrite" {
|
||||
@ -63,8 +63,8 @@ global:
|
||||
|
||||
database:
|
||||
|
||||
{{ with secret "secrets/data/dendrite"}}
|
||||
connection_string: postgresql://dendrite:{{.Data.data.databasePass}}@db1.ducamps.win/dendrite?sslmode=disable
|
||||
{{ with secret "secrets/data/database/dendrite"}}
|
||||
connection_string: postgresql://dendrite:{{.Data.data.password}}@db1.ducamps.win/dendrite?sslmode=disable
|
||||
{{end}}
|
||||
|
||||
max_open_conns: 100
|
||||
|
@ -17,7 +17,7 @@ job "wikijs" {
|
||||
}
|
||||
}
|
||||
vault{
|
||||
policies= ["access-tables"]
|
||||
policies= ["wikijs"]
|
||||
|
||||
}
|
||||
task "wikijs" {
|
||||
@ -54,12 +54,12 @@ job "wikijs" {
|
||||
|
||||
template {
|
||||
data= <<EOH
|
||||
{{ with secret "secrets/data/wikijs"}}
|
||||
{{ with secret "secrets/data/database/wikijs"}}
|
||||
DB_TYPE="postgres"
|
||||
DB_HOST="db1.ducamps.win"
|
||||
DB_PORT="5432"
|
||||
DB_USER="wikijs"
|
||||
DB_PASS="{{.Data.data.DB_PASS}}"
|
||||
DB_PASS="{{.Data.data.password}}"
|
||||
DB_NAME="wikijs"
|
||||
{{end}}
|
||||
EOH
|
||||
|
@ -2,7 +2,7 @@ job "drone" {
|
||||
datacenters = ["homelab"]
|
||||
type = "service"
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
policies = ["droneci"]
|
||||
}
|
||||
|
||||
|
||||
@ -50,18 +50,21 @@ job "drone" {
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/droneCI"}}
|
||||
{{ with secret "secrets/data/nomad/droneCI"}}
|
||||
DRONE_GITEA_SERVER="https://git.ducamps.win"
|
||||
DRONE_GITEA_CLIENT_ID="{{ .Data.data.DRONE_GITEA_CLIENT_ID }}"
|
||||
DRONE_GITEA_CLIENT_SECRET="{{ .Data.data.DRONE_GITEA_CLIENT_SECRET }}"
|
||||
DRONE_GITEA_ALWAYS_AUTH="True"
|
||||
DRONE_USER_CREATE="username:vincent,admin:true"
|
||||
DRONE_DATABASE_DRIVER="postgres"
|
||||
DRONE_DATABASE_DATASOURCE="postgres://drone:{{ .Data.data.DRONE_DB_PASSWORD }}@db1.ducamps.win:5432/drone?sslmode=disable"
|
||||
DRONE_RPC_SECRET="{{ .Data.data.DRONE_RPC_SECRET }}"
|
||||
DRONE_SERVER_HOST="drone.ducamps.win"
|
||||
DRONE_SERVER_PROTO="https"
|
||||
{{end}}
|
||||
|
||||
{{ with secret "secrets/data/database/droneCI"}}
|
||||
DRONE_DATABASE_DATASOURCE="postgres://drone:{{ .Data.data.password }}@db1.ducamps.win:5432/drone?sslmode=disable"
|
||||
{{end}}
|
||||
EOH
|
||||
destination = "local/drone.env"
|
||||
env = true
|
||||
@ -84,7 +87,7 @@ job "drone" {
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/droneCI"}}
|
||||
{{ with secret "secrets/data/nomad/droneCI"}}
|
||||
DRONE_RPC_HOST="drone.ducamps.win"
|
||||
DRONE_RPC_PROTO="https"
|
||||
DRONE_RPC_SECRET= "{{ .Data.data.DRONE_RPC_SECRET}}"
|
||||
@ -117,7 +120,7 @@ job "drone" {
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/droneCI"}}
|
||||
{{ with secret "secrets/data/nomad/droneCI"}}
|
||||
DRONE_RPC_HOST="drone.ducamps.win"
|
||||
DRONE_RPC_PROTO="https"
|
||||
DRONE_RPC_SECRET= "{{ .Data.data.DRONE_RPC_SECRET}}"
|
||||
|
@ -13,7 +13,7 @@ job "git" {
|
||||
}
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
policies = ["gitea"]
|
||||
}
|
||||
task "gitea" {
|
||||
driver = "docker"
|
||||
@ -77,12 +77,15 @@ job "git" {
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/gitea"}}
|
||||
GITEA__database__PASSWD = "{{.Data.data.PASSWD}}"
|
||||
{{ with secret "secrets/data/nomad/gitea"}}
|
||||
GITEA__security__SECRET_KEY = "{{.Data.data.secret_key}}"
|
||||
GITEA__oauth2__JWT_SECRET = "{{.Data.data.jwt_secret}}"
|
||||
GITEA__security__INTERNAL_TOKEN = "{{.Data.data.internal_token}}"
|
||||
{{end}}
|
||||
|
||||
{{ with secret "secrets/data/database/gitea"}}
|
||||
GITEA__database__PASSWD = "{{.Data.data.password}}"
|
||||
{{end}}
|
||||
EOH
|
||||
destination = "secrets/gitea.env"
|
||||
env = true
|
||||
|
@ -22,10 +22,6 @@ job "homeassistant" {
|
||||
static = 5683
|
||||
}
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
@ -23,7 +23,7 @@ job "paperless-ng" {
|
||||
}
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
policies = ["paperless"]
|
||||
|
||||
}
|
||||
task "redis" {
|
||||
@ -85,7 +85,7 @@ job "paperless-ng" {
|
||||
|
||||
template {
|
||||
data = <<EOH
|
||||
PAPERLESS_DBPASS= {{ with secret "secrets/data/paperless"}}{{.Data.data.DB_PASSWORD }}{{end}}
|
||||
PAPERLESS_DBPASS= {{ with secret "secrets/data/database/paperless"}}{{.Data.data.password }}{{end}}
|
||||
EOH
|
||||
destination = "secrets/paperless.env"
|
||||
env = true
|
||||
|
@ -50,7 +50,7 @@ job "pihole" {
|
||||
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
policies = ["pihole"]
|
||||
|
||||
}
|
||||
env {
|
||||
@ -61,7 +61,7 @@ job "pihole" {
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
WEBPASSWORD="{{with secret "secrets/data/pihole"}}{{.Data.data.WEBPASSWORD}}{{end}}"
|
||||
WEBPASSWORD="{{with secret "secrets/data/nomad/pihole"}}{{.Data.data.WEBPASSWORD}}{{end}}"
|
||||
EOH
|
||||
destination = "local/file.env"
|
||||
change_mode = "noop"
|
||||
|
@ -18,7 +18,7 @@ job "prometheus" {
|
||||
mode = "fail"
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
policies = ["prometheus"]
|
||||
}
|
||||
|
||||
ephemeral_disk {
|
||||
@ -91,7 +91,7 @@ scrape_configs:
|
||||
scrape_interval: 60s
|
||||
metrics_path: /api/prometheus
|
||||
authorization:
|
||||
credentials: {{ with secret "secrets/data/prometheus"}}'{{ .Data.data.hass_token }}'{{end}}
|
||||
credentials: {{ with secret "secrets/data/nomad/prometheus"}}'{{ .Data.data.hass_token }}'{{end}}
|
||||
|
||||
|
||||
|
||||
|
@ -12,10 +12,6 @@ job "radicale" {
|
||||
to = 5232
|
||||
}
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
|
||||
}
|
||||
task "radicale" {
|
||||
driver = "docker"
|
||||
service {
|
||||
|
@ -20,7 +20,7 @@ job "seedboxsync" {
|
||||
mode = "host"
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
policies = ["seedbox"]
|
||||
}
|
||||
task "server" {
|
||||
driver = "docker"
|
||||
@ -45,7 +45,7 @@ job "seedboxsync" {
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/seedbox"}}
|
||||
{{ with secret "secrets/data/nomad/seedbox"}}
|
||||
USERNAME = "{{ .Data.data.username }}"
|
||||
PASSWORD = "{{ .Data.data.password }}"
|
||||
REMOTE_PATH = "{{ .Data.data.remote_path }}"
|
||||
|
@ -21,7 +21,7 @@ job "supysonic" {
|
||||
}
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
policies = ["supysonic"]
|
||||
|
||||
}
|
||||
service {
|
||||
@ -107,8 +107,8 @@ http {
|
||||
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/supysonic"}}
|
||||
SUPYSONIC_DB_URI = "postgres://supysonic:{{ .Data.data.db_password}}@db1.ducamps.win/supysonic"
|
||||
{{ with secret "secrets/data/database/supysonic"}}
|
||||
SUPYSONIC_DB_URI = "postgres://supysonic:{{ .Data.data.password}}@db1.ducamps.win/supysonic"
|
||||
{{end}}
|
||||
EOH
|
||||
destination = "secrets/supysonic.env"
|
||||
|
@ -19,10 +19,6 @@ job "syncthing" {
|
||||
static = 21027
|
||||
}
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
|
||||
}
|
||||
task "syncthing" {
|
||||
driver = "docker"
|
||||
service {
|
||||
|
@ -26,7 +26,7 @@ job "traefik-ingress" {
|
||||
}
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
policies = ["gandi"]
|
||||
}
|
||||
task "traefik" {
|
||||
driver = "docker"
|
||||
@ -73,7 +73,7 @@ job "traefik-ingress" {
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
GANDIV5_API_KEY = "{{with secret "secrets/data/gandi"}}{{.Data.data.API_KEY}}{{end}}"
|
||||
GANDIV5_API_KEY = "{{with secret "secrets/data/nomad/gandi"}}{{.Data.data.API_KEY}}{{end}}"
|
||||
EOH
|
||||
destination = "secrets/gandi.env"
|
||||
env = true
|
||||
|
@ -19,7 +19,7 @@ job "traefik-local" {
|
||||
}
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
policies = ["gandi"]
|
||||
}
|
||||
|
||||
task "traefik" {
|
||||
@ -67,7 +67,7 @@ job "traefik-local" {
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
GANDIV5_API_KEY = "{{with secret "secrets/data/gandi"}}{{.Data.data.API_KEY}}{{end}}"
|
||||
GANDIV5_API_KEY = "{{with secret "secrets/data/nomad/gandi"}}{{.Data.data.API_KEY}}{{end}}"
|
||||
EOH
|
||||
destination = "secrets/gandi.env"
|
||||
env = true
|
||||
|
@ -24,7 +24,7 @@ job "tt-rss" {
|
||||
}
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
policies = ["ttrss"]
|
||||
}
|
||||
service {
|
||||
name = "tt-rss"
|
||||
@ -65,8 +65,8 @@ job "tt-rss" {
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/ttrss"}}
|
||||
TTRSS_DB_PASS = "{{ .Data.data.DB_PASS }}"
|
||||
{{ with secret "secrets/data/database/ttrss"}}
|
||||
TTRSS_DB_PASS = "{{ .Data.data.password }}"
|
||||
{{end}}
|
||||
EOH
|
||||
destination = "secrets/tt-rss.env"
|
||||
@ -97,8 +97,8 @@ job "tt-rss" {
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/ttrss"}}
|
||||
TTRSS_DB_PASS = "{{ .Data.data.DB_PASS }}"
|
||||
{{ with secret "secrets/data/database/ttrss"}}
|
||||
TTRSS_DB_PASS = "{{ .Data.data.password }}"
|
||||
{{end}}
|
||||
EOH
|
||||
destination = "secrets/tt-rss.env"
|
||||
|
@ -14,7 +14,7 @@ job "vaultwarden" {
|
||||
}
|
||||
}
|
||||
vault {
|
||||
policies = ["access-tables"]
|
||||
policies = ["vaultwarden"]
|
||||
|
||||
}
|
||||
task "vaultwarden" {
|
||||
@ -64,8 +64,8 @@ job "vaultwarden" {
|
||||
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with secret "secrets/data/vaultwarden"}}
|
||||
DATABASE_URL=postgresql://vaultwarden:{{ .Data.data.DB_PASSWORD }}@db1.ducamps.win/vaultwarden
|
||||
{{ with secret "secrets/data/database/vaultwarden"}}
|
||||
DATABASE_URL=postgresql://vaultwarden:{{ .Data.data.password }}@db1.ducamps.win/vaultwarden
|
||||
{{end}}
|
||||
EOH
|
||||
destination = "secrets/vaultwarden.env"
|
||||
|
@ -8,8 +8,26 @@ provider vault {
|
||||
}
|
||||
|
||||
locals {
|
||||
allowed_policies= [
|
||||
"access-tables"
|
||||
allowed_policies= concat(local.nomad_policy, [
|
||||
])
|
||||
|
||||
nomad_policy=[
|
||||
"crowdsec",
|
||||
"dump",
|
||||
"dentrite",
|
||||
"droneCI",
|
||||
"gandi",
|
||||
"gitea",
|
||||
"nextcloud",
|
||||
"paperless",
|
||||
"pihole",
|
||||
"prometheus",
|
||||
"rsyncd",
|
||||
"seedbox",
|
||||
"supysonic",
|
||||
"ttrss",
|
||||
"vaultwarden",
|
||||
"wikijs",
|
||||
]
|
||||
|
||||
}
|
||||
@ -22,6 +40,24 @@ resource "vault_token_auth_backend_role" "nomad-cluster" {
|
||||
allowed_policies = local.allowed_policies
|
||||
}
|
||||
|
||||
data "vault_policy_document" "nomad_jobs" {
|
||||
for_each = toset(local.nomad_policy)
|
||||
|
||||
rule {
|
||||
path = "secrets/data/nomad/${each.key}"
|
||||
capabilities = ["read"]
|
||||
}
|
||||
rule {
|
||||
path = "secrets/data/database/${each.key}"
|
||||
capabilities = ["read"]
|
||||
}
|
||||
}
|
||||
resource "vault_policy" "nomad_jobs" {
|
||||
for_each = toset(local.nomad_policy)
|
||||
|
||||
name = each.key
|
||||
policy = data.vault_policy_document.nomad_jobs[each.key].hcl
|
||||
}
|
||||
|
||||
|
||||
resource "vault_mount" "kvv2-secret" {
|
||||
|
@ -66,6 +66,11 @@ data "vault_policy_document" "ansible" {
|
||||
path = "secrets/data/ansible"
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
rule {
|
||||
path = "secrets/data/database"
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
|
||||
}
|
||||
resource "vault_policy" "ansible" {
|
||||
name = "ansible"
|
||||
|
Loading…
Reference in New Issue
Block a user