authelia and grafana to shared smtp secrets

ansible_playbooks/vars/nomad_vars.sample.yml

@@ -3,11 +3,6 @@ nomad/jobs:
   db_user_ro: VALUE
   ldap_base_dn: VALUE
   notify_email: VALUE
-  smtp_password: VALUE
-  smtp_port: VALUE
-  smtp_server: VALUE
-  smtp_tls: VALUE
-  smtp_user: VALUE
 nomad/jobs/authelia:
   db_name: VALUE
   db_pass: VALUE

core/authelia.tf

@@ -27,6 +27,7 @@ module "authelia" {
   use_mysql = true
   use_ldap  = true
   use_redis = true
+  use_smtp  = true
   mysql_bootstrap = {
     enabled = true
   }
@@ -96,7 +97,7 @@ module "authelia" {
       mount       = false
     },
     {
-      data        = "{{ with nomadVar \"nomad/jobs\" }}{{ .smtp_password }}{{ end }}"
+      data        = "{{ with nomadVar \"secrets/smtp\" }}{{ .password }}{{ end }}"
       dest_prefix = "$${NOMAD_SECRETS_DIR}"
       dest        = "smtp_password.txt"
       mount       = false

core/authelia.yml

@@ -221,11 +221,11 @@ notifier:
   ## You can disable the notifier startup check by setting this to true.
   disable_startup_check: false
 
-{{ with nomadVar "nomad/jobs" }}
+{{ with nomadVar "secrets/smtp" }}
   smtp:
-    host: {{ .smtp_server }}
-    port: {{ .smtp_port }}
-    username: {{ .smtp_user }}
+    host: {{ .server }}
+    port: {{ .port }}
+    username: {{ .user }}
     # password: <in file>
 
 {{- end }}

core/grafana.nomad

@@ -155,10 +155,12 @@ SELECT 'NOOP';
 
       template {
         data = <<EOF
+{{ with nomadVar "secrets/smtp" -}}
+GF_SMTP_USER={{ .user }}
+GF_SMTP_PASSWORD={{ .password }}
+{{ end -}}
 {{ with nomadVar "nomad/jobs/grafana" -}}
 GF_SECURITY_ADMIN_PASSWORD={{ .admin_pw }}
-GF_SMTP_USER={{ .smtp_user }}
-GF_SMTP_PASSWORD={{ .smtp_password }}
 GF_EXTERNAL_IMAGE_STORAGE_S3_ACCESS_KEY={{ .minio_access_key }}
 GF_EXTERNAL_IMAGE_STORAGE_S3_SECRET_KEY={{ .minio_secret_key }}
 GRAFANA_ALERT_EMAIL_ADDRESSES={{ .alert_email_addresses }}
@@ -170,7 +172,7 @@ GF_DATABASE_HOST=127.0.0.1:3306
 GF_DATABASE_NAME={{ .db_name }}
 GF_DATABASE_USER={{ .db_user }}
 GF_DATABASE_PASSWORD={{ .db_pass }}
-{{- end }}
+{{ end -}}
 SLACK_BOT_URL={{ .slack_bot_url }}
 SLACK_BOT_TOKEN={{ .slack_bot_token }}
 SLACK_HOOK_URL={{ .slack_hook_url }}

core/metrics.tf

@@ -19,6 +19,26 @@ resource "nomad_job" "grafana" {
   depends_on = [nomad_job.prometheus]
 }
 
+resource "nomad_acl_policy" "grafana_smtp_secrets" {
+  name        = "grafana-secrets-smtp"
+  description = "Give access to MySQL secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/smtp" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = "grafana"
+    group  = "grafana"
+    task   = "grafana"
+  }
+}
+
 # Generate secrets and policies for access to MySQL
 resource "nomad_acl_policy" "grafana_mysql_bootstrap_secrets" {
   name        = "grafana-secrets-mysql"

services/service/main.tf

@@ -198,3 +198,25 @@ EOH
     task   = "stunnel"
   }
 }
+
+resource "nomad_acl_policy" "secrets_smtp" {
+  count = var.use_smtp ? 1 : 0
+
+  name        = "${var.name}-secrets-smtp"
+  description = "Give access to SMTP secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/smtp" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = var.name
+    group  = var.name
+    task   = var.name
+  }
+}

services/service/vars.tf

@@ -192,6 +192,11 @@ variable "use_postgres" {
   default = false
 }
 
+variable "use_smtp" {
+  type    = bool
+  default = false
+}
+
 variable "mysql_bootstrap" {
   type = object({
     enabled     = optional(bool, true)