vincent/homelab
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

vault policy segmentation

Browse Source
This commit is contained in:
vincent 2022-10-30 09:33:39 +01:00
parent a3abcb41a3
commit bb1bb51b4a
22 changed files with 103 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
ansible/group_vars/database
View File

@ -4,27 +4,27 @@ postgresql_users:
role_attr_flags: SUPERUSER role_attr_flags: SUPERUSER
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:root')}}" password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:root')}}"
- name: wikijs - name: wikijs
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:wikijs')}}" password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/wikijs:password')}}"
- name: ttrss - name: ttrss
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:ttrss')}}" password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/ttrss:password')}}"
- name: gitea - name: gitea
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:gitea')}}" password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/gitea:password')}}"
- name: supysonic - name: supysonic
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:supysonic')}}" password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/supysonic:password')}}"
- name: hass - name: hass
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:hass')}}" password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/homeassistant:password')}}"
- name: nextcloud - name: nextcloud
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:nextcloud')}}" password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/nextcloud:password')}}"
- name: vaultwarden - name: vaultwarden
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:vaultwarden')}}" password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/vaultwarden:password')}}"
- name: drone - name: drone
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:drone')}}" password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/droneCI:password')}}"
- name: dendrite - name: dendrite
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:dendrite')}}" password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/dendrite:password')}}"
- name: paperless - name: paperless
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:paperless')}}" password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/paperless:password')}}"
- name: dump - name: dump
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:dump')}}" password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/dump:passwod')}}"
postgresql_databases: postgresql_databases:
- name: wikijs - name: wikijs

4
nomad-job/backup-postgress.nomad
View File

@ -20,7 +20,7 @@ job "backup-postgress" {
mode = "host" mode = "host"
} }
vault { vault {
policies = ["access-tables"] policies = ["dump"]
} }
task "backup" { task "backup" {
driver = "docker" driver = "docker"
@ -45,7 +45,7 @@ job "backup-postgress" {
env = true env = true
} }
resources { resources {
memory = 25 memory = 50
} }
} }

4
nomad-job/crowdsec-agent.nomad
View File

@ -6,7 +6,7 @@ job "crowdsec-agent" {
forcedeploy = "2" forcedeploy = "2"
} }
vault { vault {
policies = ["access-tables"] policies = ["crowdsec"]
} }
@ -69,7 +69,7 @@ EOH
data = <<EOH data = <<EOH
LOCAL_API_URL = {{- range service "crowdsec-api" }} "http://{{ .Address }}:{{ .Port }}"{{- end }} LOCAL_API_URL = {{- range service "crowdsec-api" }} "http://{{ .Address }}:{{ .Port }}"{{- end }}
AGENT_USERNAME = "{{ env "node.unique.name" }}" AGENT_USERNAME = "{{ env "node.unique.name" }}"
{{with secret "secrets/data/crowdsec"}} {{with secret "secrets/data/nomad/crowdsec"}}
AGENT_PASSWORD = "{{.Data.data.AGENT_PASSWORD}}" AGENT_PASSWORD = "{{.Data.data.AGENT_PASSWORD}}"
{{end}} {{end}}
EOH EOH

4
nomad-job/crowdsec-api.nomad
View File

@ -5,7 +5,7 @@ job "crowdsec-api" {
forcedeploy = "-1" forcedeploy = "-1"
} }
vault { vault {
policies = ["access-tables"] policies = ["crowdsec"]
} }
group "crowdsec-api" { group "crowdsec-api" {
network { network {
@ -45,7 +45,7 @@ job "crowdsec-api" {
template { template {
data = <<EOH data = <<EOH
DISABLE_AGENT = "true" DISABLE_AGENT = "true"
{{with secret "secrets/data/crowdsec"}} {{with secret "secrets/data/nomad/crowdsec"}}
AGENT_USERNAME = "{{.Data.data.AGENT_USERNAME}}" AGENT_USERNAME = "{{.Data.data.AGENT_USERNAME}}"
AGENT_PASSWORD = "{{.Data.data.AGENT_PASSWORD}}" AGENT_PASSWORD = "{{.Data.data.AGENT_PASSWORD}}"
{{end}} {{end}}

6
nomad-job/decom/matrix.nomad
View File

@ -17,7 +17,7 @@ job "matrix" {
} }
} }
vault{ vault{
policies= ["access-tables"] policies= ["dendrite"]
} }
task "dendrite" { task "dendrite" {
@ -63,8 +63,8 @@ global:
database: database:
{{ with secret "secrets/data/dendrite"}} {{ with secret "secrets/data/database/dendrite"}}
connection_string: postgresql://dendrite:{{.Data.data.databasePass}}@db1.ducamps.win/dendrite?sslmode=disable connection_string: postgresql://dendrite:{{.Data.data.password}}@db1.ducamps.win/dendrite?sslmode=disable
{{end}} {{end}}
max_open_conns: 100 max_open_conns: 100

6
nomad-job/decom/wikijs.nomad
View File

@ -17,7 +17,7 @@ job "wikijs" {
} }
} }
vault{ vault{
policies= ["access-tables"] policies= ["wikijs"]
} }
task "wikijs" { task "wikijs" {
@ -54,12 +54,12 @@ job "wikijs" {
template { template {
data= <<EOH data= <<EOH
{{ with secret "secrets/data/wikijs"}} {{ with secret "secrets/data/database/wikijs"}}
DB_TYPE="postgres" DB_TYPE="postgres"
DB_HOST="db1.ducamps.win" DB_HOST="db1.ducamps.win"
DB_PORT="5432" DB_PORT="5432"
DB_USER="wikijs" DB_USER="wikijs"
DB_PASS="{{.Data.data.DB_PASS}}" DB_PASS="{{.Data.data.password}}"
DB_NAME="wikijs" DB_NAME="wikijs"
{{end}} {{end}}
EOH EOH

13
nomad-job/drone.nomad
View File

@ -2,7 +2,7 @@ job "drone" {
datacenters = ["homelab"] datacenters = ["homelab"]
type = "service" type = "service"
vault { vault {
policies = ["access-tables"] policies = ["droneci"]
} }
@ -50,18 +50,21 @@ job "drone" {
} }
template { template {
data = <<EOH data = <<EOH
{{ with secret "secrets/data/droneCI"}} {{ with secret "secrets/data/nomad/droneCI"}}
DRONE_GITEA_SERVER="https://git.ducamps.win" DRONE_GITEA_SERVER="https://git.ducamps.win"
DRONE_GITEA_CLIENT_ID="{{ .Data.data.DRONE_GITEA_CLIENT_ID }}" DRONE_GITEA_CLIENT_ID="{{ .Data.data.DRONE_GITEA_CLIENT_ID }}"
DRONE_GITEA_CLIENT_SECRET="{{ .Data.data.DRONE_GITEA_CLIENT_SECRET }}" DRONE_GITEA_CLIENT_SECRET="{{ .Data.data.DRONE_GITEA_CLIENT_SECRET }}"
DRONE_GITEA_ALWAYS_AUTH="True" DRONE_GITEA_ALWAYS_AUTH="True"
DRONE_USER_CREATE="username:vincent,admin:true" DRONE_USER_CREATE="username:vincent,admin:true"
DRONE_DATABASE_DRIVER="postgres" DRONE_DATABASE_DRIVER="postgres"
DRONE_DATABASE_DATASOURCE="postgres://drone:{{ .Data.data.DRONE_DB_PASSWORD }}@db1.ducamps.win:5432/drone?sslmode=disable"
DRONE_RPC_SECRET="{{ .Data.data.DRONE_RPC_SECRET }}" DRONE_RPC_SECRET="{{ .Data.data.DRONE_RPC_SECRET }}"
DRONE_SERVER_HOST="drone.ducamps.win" DRONE_SERVER_HOST="drone.ducamps.win"
DRONE_SERVER_PROTO="https" DRONE_SERVER_PROTO="https"
{{end}} {{end}}
{{ with secret "secrets/data/database/droneCI"}}
DRONE_DATABASE_DATASOURCE="postgres://drone:{{ .Data.data.password }}@db1.ducamps.win:5432/drone?sslmode=disable"
{{end}}
EOH EOH
destination = "local/drone.env" destination = "local/drone.env"
env = true env = true
@ -84,7 +87,7 @@ job "drone" {
} }
template { template {
data = <<EOH data = <<EOH
{{ with secret "secrets/data/droneCI"}} {{ with secret "secrets/data/nomad/droneCI"}}
DRONE_RPC_HOST="drone.ducamps.win" DRONE_RPC_HOST="drone.ducamps.win"
DRONE_RPC_PROTO="https" DRONE_RPC_PROTO="https"
DRONE_RPC_SECRET= "{{ .Data.data.DRONE_RPC_SECRET}}" DRONE_RPC_SECRET= "{{ .Data.data.DRONE_RPC_SECRET}}"
@ -117,7 +120,7 @@ job "drone" {
} }
template { template {
data = <<EOH data = <<EOH
{{ with secret "secrets/data/droneCI"}} {{ with secret "secrets/data/nomad/droneCI"}}
DRONE_RPC_HOST="drone.ducamps.win" DRONE_RPC_HOST="drone.ducamps.win"
DRONE_RPC_PROTO="https" DRONE_RPC_PROTO="https"
DRONE_RPC_SECRET= "{{ .Data.data.DRONE_RPC_SECRET}}" DRONE_RPC_SECRET= "{{ .Data.data.DRONE_RPC_SECRET}}"

9
nomad-job/gitea.nomad
View File

@ -13,7 +13,7 @@ job "git" {
} }
} }
vault { vault {
policies = ["access-tables"] policies = ["gitea"]
} }
task "gitea" { task "gitea" {
driver = "docker" driver = "docker"
@ -77,12 +77,15 @@ job "git" {
} }
template { template {
data = <<EOH data = <<EOH
{{ with secret "secrets/data/gitea"}} {{ with secret "secrets/data/nomad/gitea"}}
GITEA__database__PASSWD = "{{.Data.data.PASSWD}}"
GITEA__security__SECRET_KEY = "{{.Data.data.secret_key}}" GITEA__security__SECRET_KEY = "{{.Data.data.secret_key}}"
GITEA__oauth2__JWT_SECRET = "{{.Data.data.jwt_secret}}" GITEA__oauth2__JWT_SECRET = "{{.Data.data.jwt_secret}}"
GITEA__security__INTERNAL_TOKEN = "{{.Data.data.internal_token}}" GITEA__security__INTERNAL_TOKEN = "{{.Data.data.internal_token}}"
{{end}} {{end}}
{{ with secret "secrets/data/database/gitea"}}
GITEA__database__PASSWD = "{{.Data.data.password}}"
{{end}}
EOH EOH
destination = "secrets/gitea.env" destination = "secrets/gitea.env"
env = true env = true

4
nomad-job/homeassistant.nomad
View File

@ -22,10 +22,6 @@ job "homeassistant" {
static = 5683 static = 5683
} }
} }
vault {
policies = ["access-tables"]
}

4
nomad-job/paperless-ng.nomad
View File

@ -23,7 +23,7 @@ job "paperless-ng" {
} }
} }
vault { vault {
policies = ["access-tables"] policies = ["paperless"]
} }
task "redis" { task "redis" {
@ -85,7 +85,7 @@ job "paperless-ng" {
template { template {
data = <<EOH data = <<EOH
PAPERLESS_DBPASS= {{ with secret "secrets/data/paperless"}}{{.Data.data.DB_PASSWORD }}{{end}} PAPERLESS_DBPASS= {{ with secret "secrets/data/database/paperless"}}{{.Data.data.password }}{{end}}
EOH EOH
destination = "secrets/paperless.env" destination = "secrets/paperless.env"
env = true env = true

4
nomad-job/pihole.nomad
View File

@ -50,7 +50,7 @@ job "pihole" {
} }
vault { vault {
policies = ["access-tables"] policies = ["pihole"]
} }
env { env {
@ -61,7 +61,7 @@ job "pihole" {
} }
template { template {
data = <<EOH data = <<EOH
WEBPASSWORD="{{with secret "secrets/data/pihole"}}{{.Data.data.WEBPASSWORD}}{{end}}" WEBPASSWORD="{{with secret "secrets/data/nomad/pihole"}}{{.Data.data.WEBPASSWORD}}{{end}}"
EOH EOH
destination = "local/file.env" destination = "local/file.env"
change_mode = "noop" change_mode = "noop"

4
nomad-job/prometheus.nomad
View File

@ -18,7 +18,7 @@ job "prometheus" {
mode = "fail" mode = "fail"
} }
vault { vault {
policies = ["access-tables"] policies = ["prometheus"]
} }
ephemeral_disk { ephemeral_disk {
@ -91,7 +91,7 @@ scrape_configs:
scrape_interval: 60s scrape_interval: 60s
metrics_path: /api/prometheus metrics_path: /api/prometheus
authorization: authorization:
credentials: {{ with secret "secrets/data/prometheus"}}'{{ .Data.data.hass_token }}'{{end}} credentials: {{ with secret "secrets/data/nomad/prometheus"}}'{{ .Data.data.hass_token }}'{{end}}

4
nomad-job/radicale.nomad
View File

@ -12,10 +12,6 @@ job "radicale" {
to = 5232 to = 5232
} }
} }
vault {
policies = ["access-tables"]
}
task "radicale" { task "radicale" {
driver = "docker" driver = "docker"
service { service {

4
nomad-job/seedboxsync.nomad
View File

@ -20,7 +20,7 @@ job "seedboxsync" {
mode = "host" mode = "host"
} }
vault { vault {
policies = ["access-tables"] policies = ["seedbox"]
} }
task "server" { task "server" {
driver = "docker" driver = "docker"
@ -45,7 +45,7 @@ job "seedboxsync" {
} }
template { template {
data = <<EOH data = <<EOH
{{ with secret "secrets/data/seedbox"}} {{ with secret "secrets/data/nomad/seedbox"}}
USERNAME = "{{ .Data.data.username }}" USERNAME = "{{ .Data.data.username }}"
PASSWORD = "{{ .Data.data.password }}" PASSWORD = "{{ .Data.data.password }}"
REMOTE_PATH = "{{ .Data.data.remote_path }}" REMOTE_PATH = "{{ .Data.data.remote_path }}"

6
nomad-job/supysonic.nomad
View File

@ -21,7 +21,7 @@ job "supysonic" {
} }
} }
vault { vault {
policies = ["access-tables"] policies = ["supysonic"]
} }
service { service {
@ -107,8 +107,8 @@ http {
template { template {
data = <<EOH data = <<EOH
{{ with secret "secrets/data/supysonic"}} {{ with secret "secrets/data/database/supysonic"}}
SUPYSONIC_DB_URI = "postgres://supysonic:{{ .Data.data.db_password}}@db1.ducamps.win/supysonic" SUPYSONIC_DB_URI = "postgres://supysonic:{{ .Data.data.password}}@db1.ducamps.win/supysonic"
{{end}} {{end}}
EOH EOH
destination = "secrets/supysonic.env" destination = "secrets/supysonic.env"

4
nomad-job/syncthing.nomad
View File

@ -19,10 +19,6 @@ job "syncthing" {
static = 21027 static = 21027
} }
} }
vault {
policies = ["access-tables"]
}
task "syncthing" { task "syncthing" {
driver = "docker" driver = "docker"
service { service {

4
nomad-job/traefik-ingress.nomad
View File

@ -26,7 +26,7 @@ job "traefik-ingress" {
} }
} }
vault { vault {
policies = ["access-tables"] policies = ["gandi"]
} }
task "traefik" { task "traefik" {
driver = "docker" driver = "docker"
@ -73,7 +73,7 @@ job "traefik-ingress" {
} }
template { template {
data = <<EOH data = <<EOH
GANDIV5_API_KEY = "{{with secret "secrets/data/gandi"}}{{.Data.data.API_KEY}}{{end}}" GANDIV5_API_KEY = "{{with secret "secrets/data/nomad/gandi"}}{{.Data.data.API_KEY}}{{end}}"
EOH EOH
destination = "secrets/gandi.env" destination = "secrets/gandi.env"
env = true env = true

4
nomad-job/traefik-local.nomad
View File

@ -19,7 +19,7 @@ job "traefik-local" {
} }
} }
vault { vault {
policies = ["access-tables"] policies = ["gandi"]
} }
task "traefik" { task "traefik" {
@ -67,7 +67,7 @@ job "traefik-local" {
} }
template { template {
data = <<EOH data = <<EOH
GANDIV5_API_KEY = "{{with secret "secrets/data/gandi"}}{{.Data.data.API_KEY}}{{end}}" GANDIV5_API_KEY = "{{with secret "secrets/data/nomad/gandi"}}{{.Data.data.API_KEY}}{{end}}"
EOH EOH
destination = "secrets/gandi.env" destination = "secrets/gandi.env"
env = true env = true

10
nomad-job/tt-rss.nomad
View File

@ -24,7 +24,7 @@ job "tt-rss" {
} }
} }
vault { vault {
policies = ["access-tables"] policies = ["ttrss"]
} }
service { service {
name = "tt-rss" name = "tt-rss"
@ -65,8 +65,8 @@ job "tt-rss" {
} }
template { template {
data = <<EOH data = <<EOH
{{ with secret "secrets/data/ttrss"}} {{ with secret "secrets/data/database/ttrss"}}
TTRSS_DB_PASS = "{{ .Data.data.DB_PASS }}" TTRSS_DB_PASS = "{{ .Data.data.password }}"
{{end}} {{end}}
EOH EOH
destination = "secrets/tt-rss.env" destination = "secrets/tt-rss.env"
@ -97,8 +97,8 @@ job "tt-rss" {
} }
template { template {
data = <<EOH data = <<EOH
{{ with secret "secrets/data/ttrss"}} {{ with secret "secrets/data/database/ttrss"}}
TTRSS_DB_PASS = "{{ .Data.data.DB_PASS }}" TTRSS_DB_PASS = "{{ .Data.data.password }}"
{{end}} {{end}}
EOH EOH
destination = "secrets/tt-rss.env" destination = "secrets/tt-rss.env"

6
nomad-job/vaultwarden.nomad
View File

@ -14,7 +14,7 @@ job "vaultwarden" {
} }
} }
vault { vault {
policies = ["access-tables"] policies = ["vaultwarden"]
} }
task "vaultwarden" { task "vaultwarden" {
@ -64,8 +64,8 @@ job "vaultwarden" {
template { template {
data = <<EOH data = <<EOH
{{ with secret "secrets/data/vaultwarden"}} {{ with secret "secrets/data/database/vaultwarden"}}
DATABASE_URL=postgresql://vaultwarden:{{ .Data.data.DB_PASSWORD }}@db1.ducamps.win/vaultwarden DATABASE_URL=postgresql://vaultwarden:{{ .Data.data.password }}@db1.ducamps.win/vaultwarden
{{end}} {{end}}
EOH EOH
destination = "secrets/vaultwarden.env" destination = "secrets/vaultwarden.env"

40
vault/main.tf
View File

@ -8,8 +8,26 @@ provider vault {
} }
locals { locals {
allowed_policies= [ allowed_policies= concat(local.nomad_policy, [
"access-tables" ])
nomad_policy=[
"crowdsec",
"dump",
"dentrite",
"droneCI",
"gandi",
"gitea",
"nextcloud",
"paperless",
"pihole",
"prometheus",
"rsyncd",
"seedbox",
"supysonic",
"ttrss",
"vaultwarden",
"wikijs",
] ]
} }
@ -22,6 +40,24 @@ resource "vault_token_auth_backend_role" "nomad-cluster" {
allowed_policies = local.allowed_policies allowed_policies = local.allowed_policies
} }
data "vault_policy_document" "nomad_jobs" {
for_each = toset(local.nomad_policy)
rule {
path = "secrets/data/nomad/${each.key}"
capabilities = ["read"]
}
rule {
path = "secrets/data/database/${each.key}"
capabilities = ["read"]
}
}
resource "vault_policy" "nomad_jobs" {
for_each = toset(local.nomad_policy)
name = each.key
policy = data.vault_policy_document.nomad_jobs[each.key].hcl
}
resource "vault_mount" "kvv2-secret" { resource "vault_mount" "kvv2-secret" {

5
vault/policy.tf
View File

@ -66,6 +66,11 @@ data "vault_policy_document" "ansible" {
path = "secrets/data/ansible" path = "secrets/data/ansible"
capabilities = ["read", "list"] capabilities = ["read", "list"]
} }
rule {
path = "secrets/data/database"
capabilities = ["read", "list"]
}
} }
resource "vault_policy" "ansible" { resource "vault_policy" "ansible" {
name = "ansible" name = "ansible"