From 9b11ad9a695e67b298b4819da53a210ca391459d Mon Sep 17 00:00:00 2001 From: Ian Fijolek Date: Tue, 11 Jul 2023 12:45:12 -0700 Subject: [PATCH] Add Nomad var example and remove old examples --- .secrets-baseline | 41 ++--- Makefile | 4 +- .../vars/consul_values.example.yml | 4 - ansible_playbooks/vars/nomad_vars.sample.yml | 168 ++++++++++++++++++ .../vars/vault_hashi_vault_values.example.yml | 23 --- nomad_vars.py | 20 ++- 6 files changed, 202 insertions(+), 58 deletions(-) delete mode 100644 ansible_playbooks/vars/consul_values.example.yml create mode 100644 ansible_playbooks/vars/nomad_vars.sample.yml delete mode 100644 ansible_playbooks/vars/vault_hashi_vault_values.example.yml diff --git a/.secrets-baseline b/.secrets-baseline index e3061a3..07d471d 100644 --- a/.secrets-baseline +++ b/.secrets-baseline @@ -75,10 +75,6 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".secrets-baseline" - }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -113,7 +109,7 @@ { "path": "detect_secrets.filters.regex.should_exclude_secret", "pattern": [ - "(\\${.*}|from_env|fake|!secret)" + "(\\${.*}|from_env|fake|!secret|VALUE)" ] } ], @@ -124,24 +120,21 @@ "filename": "ansible_playbooks/vars/vault_hashi_vault_values.example.yml", "hashed_secret": "f2baa52d02ca888455ce47823f47bf372d5eecb3", "is_verified": false, - "line_number": 8, - "is_secret": false + "line_number": 8 }, { "type": "Secret Keyword", "filename": "ansible_playbooks/vars/vault_hashi_vault_values.example.yml", "hashed_secret": "18960546905b75c869e7de63961dc185f9a0a7c9", "is_verified": false, - "line_number": 10, - "is_secret": false + "line_number": 10 }, { "type": "Secret Keyword", "filename": "ansible_playbooks/vars/vault_hashi_vault_values.example.yml", "hashed_secret": "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33", "is_verified": false, - "line_number": 22, - "is_secret": false + "line_number": 22 } ], "core/authelia.yml": [ @@ -150,16 +143,14 @@ "filename": "core/authelia.yml", "hashed_secret": "7cb6efb98ba5972a9b5090dc2e517fe14d12cb04", "is_verified": false, - "line_number": 54, - "is_secret": false + "line_number": 54 }, { "type": "Secret Keyword", "filename": "core/authelia.yml", "hashed_secret": "a32b08d97b1615dc27f58b6b17f67624c04e2c4f", "is_verified": false, - "line_number": 185, - "is_secret": false + "line_number": 191 } ], "core/metrics/grafana/grafana.ini": [ @@ -168,50 +159,44 @@ "filename": "core/metrics/grafana/grafana.ini", "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4", "is_verified": false, - "line_number": 78, - "is_secret": false + "line_number": 78 }, { "type": "Secret Keyword", "filename": "core/metrics/grafana/grafana.ini", "hashed_secret": "55ebda65c08313526e7ba08ad733e5ebea9900bd", "is_verified": false, - "line_number": 109, - "is_secret": false + "line_number": 109 }, { "type": "Secret Keyword", "filename": "core/metrics/grafana/grafana.ini", "hashed_secret": "d033e22ae348aeb5660fc2140aec35850c4da997", "is_verified": false, - "line_number": 151, - "is_secret": false + "line_number": 151 }, { "type": "Secret Keyword", "filename": "core/metrics/grafana/grafana.ini", "hashed_secret": "10bea62ff1e1a7540dc7a6bc10f5fa992349023f", "is_verified": false, - "line_number": 154, - "is_secret": false + "line_number": 154 }, { "type": "Secret Keyword", "filename": "core/metrics/grafana/grafana.ini", "hashed_secret": "5718bce97710e6be87ea160b36eaefb5032857d3", "is_verified": false, - "line_number": 239, - "is_secret": false + "line_number": 239 }, { "type": "Secret Keyword", "filename": "core/metrics/grafana/grafana.ini", "hashed_secret": "10aed9d7ebef778a9b3033dba3f7813b639e0d50", "is_verified": false, - "line_number": 252, - "is_secret": false + "line_number": 252 } ] }, - "generated_at": "2023-07-07T23:34:07Z" + "generated_at": "2023-07-11T19:43:38Z" } diff --git a/Makefile b/Makefile index 5275305..58122e8 100644 --- a/Makefile +++ b/Makefile @@ -30,8 +30,8 @@ check: $(VENV) $(VENV)/bin/pre-commit run --all-files # Creates a new secrets baseline -.secrets-baseline: $(VENV) - $(VENV)/bin/detect-secrets scan --exclude-secrets '(\$${.*}|from_env|fake|!secret)' > .secrets-baseline +.secrets-baseline: $(VENV) Makefile + $(VENV)/bin/detect-secrets scan --exclude-secrets '(\$${.*}|from_env|fake|!secret|VALUE)' > .secrets-baseline # Audits secrets against baseline .PHONY: secrets-audit diff --git a/ansible_playbooks/vars/consul_values.example.yml b/ansible_playbooks/vars/consul_values.example.yml deleted file mode 100644 index 023dded..0000000 --- a/ansible_playbooks/vars/consul_values.example.yml +++ /dev/null @@ -1,4 +0,0 @@ -consul_values: - "blocky/whitelists/ads": | - - | - somedomain.com diff --git a/ansible_playbooks/vars/nomad_vars.sample.yml b/ansible_playbooks/vars/nomad_vars.sample.yml new file mode 100644 index 0000000..e2aebd7 --- /dev/null +++ b/ansible_playbooks/vars/nomad_vars.sample.yml @@ -0,0 +1,168 @@ +nomad/jobs: + base_hostname: VALUE + db_user_ro: VALUE + ldap_base_dn: VALUE + mysql_root_password: VALUE + notify_email: VALUE + smtp_password: VALUE + smtp_port: VALUE + smtp_server: VALUE + smtp_tls: VALUE + smtp_user: VALUE +nomad/jobs/adminer: + mysql_stunnel_psk: VALUE +nomad/jobs/authelia: + db_name: VALUE + db_pass: VALUE + db_user: VALUE + email_sender: VALUE + jwt_secret: VALUE + ldap_stunnel_psk: VALUE + lldap_admin_password: VALUE + lldap_admin_user: VALUE + mysql_stunnel_psk: VALUE + oidc_clients: VALUE + oidc_hmac_secret: VALUE + oidc_issuer_certificate_chain: VALUE + oidc_issuer_private_key: VALUE + redis_stunnel_psk: VALUE + session_secret: VALUE + storage_encryption_key: VALUE +nomad/jobs/backup: + backup_passphrase: VALUE + mysql_stunnel_psk: VALUE + nas_ftp_host: VALUE + nas_ftp_pass: VALUE + nas_ftp_user: VALUE +nomad/jobs/backup-oneoff-n1: + backup_passphrase: VALUE + mysql_stunnel_psk: VALUE + nas_ftp_host: VALUE + nas_ftp_pass: VALUE + nas_ftp_user: VALUE +nomad/jobs/backup-oneoff-n2: + backup_passphrase: VALUE + mysql_stunnel_psk: VALUE + nas_ftp_host: VALUE + nas_ftp_pass: VALUE + nas_ftp_user: VALUE +nomad/jobs/backup-oneoff-pi4: + backup_passphrase: VALUE + mysql_stunnel_psk: VALUE + nas_ftp_host: VALUE + nas_ftp_pass: VALUE + nas_ftp_user: VALUE +nomad/jobs/blocky: + db_name: VALUE + db_pass: VALUE + db_user: VALUE + mappings: VALUE + whitelists_ads: VALUE +nomad/jobs/blocky/blocky/stunnel: + mysql_stunnel_psk: VALUE + redis_stunnel_psk: VALUE +nomad/jobs/ddclient: + domain: VALUE + domain_ddclient: VALUE + zone: VALUE +nomad/jobs/diun: + slack_hook_url: VALUE +nomad/jobs/gitea: + db_name: VALUE + db_pass: VALUE + db_user: VALUE + secret_key: VALUE +nomad/jobs/grafana: + admin_pw: VALUE + alert_email_addresses: VALUE + db_name: VALUE + db_pass: VALUE + db_pass_ro: VALUE + db_user: VALUE + db_user_ro: VALUE + minio_access_key: VALUE + minio_secret_key: VALUE + oidc_secret: VALUE + slack_bot_token: VALUE + slack_bot_url: VALUE + slack_hook_url: VALUE + smtp_password: VALUE + smtp_user: VALUE +nomad/jobs/grafana/grafana/stunnel: + mysql_stunnel_psk: VALUE +nomad/jobs/immich: + db_name: VALUE + db_pass: VALUE + db_user: VALUE +nomad/jobs/ipdvr/bazarr: + db_pass: VALUE + db_user: VALUE +nomad/jobs/ipdvr/bazarr/bootstrap: + superuser: VALUE + superuser_pass: VALUE +nomad/jobs/ipdvr/lidarr: + db_pass: VALUE + db_user: VALUE +nomad/jobs/ipdvr/lidarr/bootstrap: + superuser: VALUE + superuser_pass: VALUE +nomad/jobs/ipdvr/radarr: + db_pass: VALUE + db_user: VALUE +nomad/jobs/ipdvr/radarr/bootstrap: + superuser: VALUE + superuser_pass: VALUE +nomad/jobs/lldap: + admin_email: VALUE + admin_password: VALUE + admin_user: VALUE + db_name: VALUE + db_pass: VALUE + db_user: VALUE + jwt_secret: VALUE + key_seed: VALUE + smtp_from: VALUE + smtp_reply_to: VALUE +nomad/jobs/lldap/lldap/bootstrap: + mysql_root_password: VALUE +nomad/jobs/lldap/lldap/stunnel: + allowed_psks: VALUE + mysql_stunnel_psk: VALUE +nomad/jobs/minitor: + mailgun_api_key: VALUE +nomad/jobs/mysql-server: + allowed_psks: VALUE + root_password: VALUE +nomad/jobs/photoprism: + admin_password: VALUE + admin_user: VALUE + db_name: VALUE + db_pass: VALUE + db_user: VALUE + mysql_stunnel_psk: VALUE +nomad/jobs/postgres-server: + superuser: VALUE + superuser_pass: VALUE +nomad/jobs/redis-authelia: + allowed_psks: VALUE +nomad/jobs/redis-blocky: + allowed_psks: VALUE +nomad/jobs/rediscommander: + redis_stunnel_psk: VALUE +nomad/jobs/traefik: + acme_email: VALUE + domain_lego_dns: VALUE + usersfile: VALUE +nomad/oidc: + secret: VALUE +secrets/mysql: + mysql_root_password: VALUE +secrets/postgres: + superuser: VALUE + superuser_pass: VALUE +secrets/smtp: + password: VALUE + port: VALUE + server: VALUE + tls: VALUE + user: VALUE diff --git a/ansible_playbooks/vars/vault_hashi_vault_values.example.yml b/ansible_playbooks/vars/vault_hashi_vault_values.example.yml deleted file mode 100644 index 2d3dbe9..0000000 --- a/ansible_playbooks/vars/vault_hashi_vault_values.example.yml +++ /dev/null @@ -1,23 +0,0 @@ -# Example map of vault values to bootstrap -# These should be encrypted with Ansible Vault if actually stored here -hashi_vault_values: - nextcloud: - db_name: nextcloud - # Eventually replace this with dynamic secrets from Hashicorp Vault - db_user: nextcloud - db_pass: nextcloud - mysql: - root_password: supersecretpassword - slack: - bot_url: ... - bot_token: ... - hook_url: ... - grafana: - alert_email_addresses: email@example.com - backups: - backup_passphrase: tellnoone - -vault_userpass: - - name: admin - password: foo - policies: default diff --git a/nomad_vars.py b/nomad_vars.py index 80b3ab4..15a9718 100755 --- a/nomad_vars.py +++ b/nomad_vars.py @@ -1,4 +1,5 @@ #! /usr/bin/env python3 +import sys import yaml from nomad import Nomad @@ -25,8 +26,25 @@ def write_nomad(): ) +def print_sample(): + clean_vars = {} + with open("./ansible_playbooks/vars/nomad_vars.yml") as f: + vars = yaml.load(f, yaml.CLoader) + + for path, items in vars.items(): + if items == "DELETE": + continue + else: + clean_vars[path] = {k: "VALUE" for k in items} + + print(yaml.dump(clean_vars)) + + def main(): - write_nomad() + if len(sys.argv) > 1 and sys.argv[1] == "print": + print_sample() + else: + write_nomad() if __name__ == "__main__":