Add Nomad var example and remove old examples

This commit is contained in:
IamTheFij 2023-07-11 12:45:12 -07:00
parent 72c30d4d74
commit 9b11ad9a69
6 changed files with 202 additions and 58 deletions

View File

@ -75,10 +75,6 @@
{ {
"path": "detect_secrets.filters.allowlist.is_line_allowlisted" "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
}, },
{
"path": "detect_secrets.filters.common.is_baseline_file",
"filename": ".secrets-baseline"
},
{ {
"path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
"min_level": 2 "min_level": 2
@ -113,7 +109,7 @@
{ {
"path": "detect_secrets.filters.regex.should_exclude_secret", "path": "detect_secrets.filters.regex.should_exclude_secret",
"pattern": [ "pattern": [
"(\\${.*}|from_env|fake|!secret)" "(\\${.*}|from_env|fake|!secret|VALUE)"
] ]
} }
], ],
@ -124,24 +120,21 @@
"filename": "ansible_playbooks/vars/vault_hashi_vault_values.example.yml", "filename": "ansible_playbooks/vars/vault_hashi_vault_values.example.yml",
"hashed_secret": "f2baa52d02ca888455ce47823f47bf372d5eecb3", "hashed_secret": "f2baa52d02ca888455ce47823f47bf372d5eecb3",
"is_verified": false, "is_verified": false,
"line_number": 8, "line_number": 8
"is_secret": false
}, },
{ {
"type": "Secret Keyword", "type": "Secret Keyword",
"filename": "ansible_playbooks/vars/vault_hashi_vault_values.example.yml", "filename": "ansible_playbooks/vars/vault_hashi_vault_values.example.yml",
"hashed_secret": "18960546905b75c869e7de63961dc185f9a0a7c9", "hashed_secret": "18960546905b75c869e7de63961dc185f9a0a7c9",
"is_verified": false, "is_verified": false,
"line_number": 10, "line_number": 10
"is_secret": false
}, },
{ {
"type": "Secret Keyword", "type": "Secret Keyword",
"filename": "ansible_playbooks/vars/vault_hashi_vault_values.example.yml", "filename": "ansible_playbooks/vars/vault_hashi_vault_values.example.yml",
"hashed_secret": "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33", "hashed_secret": "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33",
"is_verified": false, "is_verified": false,
"line_number": 22, "line_number": 22
"is_secret": false
} }
], ],
"core/authelia.yml": [ "core/authelia.yml": [
@ -150,16 +143,14 @@
"filename": "core/authelia.yml", "filename": "core/authelia.yml",
"hashed_secret": "7cb6efb98ba5972a9b5090dc2e517fe14d12cb04", "hashed_secret": "7cb6efb98ba5972a9b5090dc2e517fe14d12cb04",
"is_verified": false, "is_verified": false,
"line_number": 54, "line_number": 54
"is_secret": false
}, },
{ {
"type": "Secret Keyword", "type": "Secret Keyword",
"filename": "core/authelia.yml", "filename": "core/authelia.yml",
"hashed_secret": "a32b08d97b1615dc27f58b6b17f67624c04e2c4f", "hashed_secret": "a32b08d97b1615dc27f58b6b17f67624c04e2c4f",
"is_verified": false, "is_verified": false,
"line_number": 185, "line_number": 191
"is_secret": false
} }
], ],
"core/metrics/grafana/grafana.ini": [ "core/metrics/grafana/grafana.ini": [
@ -168,50 +159,44 @@
"filename": "core/metrics/grafana/grafana.ini", "filename": "core/metrics/grafana/grafana.ini",
"hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4", "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4",
"is_verified": false, "is_verified": false,
"line_number": 78, "line_number": 78
"is_secret": false
}, },
{ {
"type": "Secret Keyword", "type": "Secret Keyword",
"filename": "core/metrics/grafana/grafana.ini", "filename": "core/metrics/grafana/grafana.ini",
"hashed_secret": "55ebda65c08313526e7ba08ad733e5ebea9900bd", "hashed_secret": "55ebda65c08313526e7ba08ad733e5ebea9900bd",
"is_verified": false, "is_verified": false,
"line_number": 109, "line_number": 109
"is_secret": false
}, },
{ {
"type": "Secret Keyword", "type": "Secret Keyword",
"filename": "core/metrics/grafana/grafana.ini", "filename": "core/metrics/grafana/grafana.ini",
"hashed_secret": "d033e22ae348aeb5660fc2140aec35850c4da997", "hashed_secret": "d033e22ae348aeb5660fc2140aec35850c4da997",
"is_verified": false, "is_verified": false,
"line_number": 151, "line_number": 151
"is_secret": false
}, },
{ {
"type": "Secret Keyword", "type": "Secret Keyword",
"filename": "core/metrics/grafana/grafana.ini", "filename": "core/metrics/grafana/grafana.ini",
"hashed_secret": "10bea62ff1e1a7540dc7a6bc10f5fa992349023f", "hashed_secret": "10bea62ff1e1a7540dc7a6bc10f5fa992349023f",
"is_verified": false, "is_verified": false,
"line_number": 154, "line_number": 154
"is_secret": false
}, },
{ {
"type": "Secret Keyword", "type": "Secret Keyword",
"filename": "core/metrics/grafana/grafana.ini", "filename": "core/metrics/grafana/grafana.ini",
"hashed_secret": "5718bce97710e6be87ea160b36eaefb5032857d3", "hashed_secret": "5718bce97710e6be87ea160b36eaefb5032857d3",
"is_verified": false, "is_verified": false,
"line_number": 239, "line_number": 239
"is_secret": false
}, },
{ {
"type": "Secret Keyword", "type": "Secret Keyword",
"filename": "core/metrics/grafana/grafana.ini", "filename": "core/metrics/grafana/grafana.ini",
"hashed_secret": "10aed9d7ebef778a9b3033dba3f7813b639e0d50", "hashed_secret": "10aed9d7ebef778a9b3033dba3f7813b639e0d50",
"is_verified": false, "is_verified": false,
"line_number": 252, "line_number": 252
"is_secret": false
} }
] ]
}, },
"generated_at": "2023-07-07T23:34:07Z" "generated_at": "2023-07-11T19:43:38Z"
} }

View File

@ -30,8 +30,8 @@ check: $(VENV)
$(VENV)/bin/pre-commit run --all-files $(VENV)/bin/pre-commit run --all-files
# Creates a new secrets baseline # Creates a new secrets baseline
.secrets-baseline: $(VENV) .secrets-baseline: $(VENV) Makefile
$(VENV)/bin/detect-secrets scan --exclude-secrets '(\$${.*}|from_env|fake|!secret)' > .secrets-baseline $(VENV)/bin/detect-secrets scan --exclude-secrets '(\$${.*}|from_env|fake|!secret|VALUE)' > .secrets-baseline
# Audits secrets against baseline # Audits secrets against baseline
.PHONY: secrets-audit .PHONY: secrets-audit

View File

@ -1,4 +0,0 @@
consul_values:
"blocky/whitelists/ads": |
- |
somedomain.com

View File

@ -0,0 +1,168 @@
nomad/jobs:
base_hostname: VALUE
db_user_ro: VALUE
ldap_base_dn: VALUE
mysql_root_password: VALUE
notify_email: VALUE
smtp_password: VALUE
smtp_port: VALUE
smtp_server: VALUE
smtp_tls: VALUE
smtp_user: VALUE
nomad/jobs/adminer:
mysql_stunnel_psk: VALUE
nomad/jobs/authelia:
db_name: VALUE
db_pass: VALUE
db_user: VALUE
email_sender: VALUE
jwt_secret: VALUE
ldap_stunnel_psk: VALUE
lldap_admin_password: VALUE
lldap_admin_user: VALUE
mysql_stunnel_psk: VALUE
oidc_clients: VALUE
oidc_hmac_secret: VALUE
oidc_issuer_certificate_chain: VALUE
oidc_issuer_private_key: VALUE
redis_stunnel_psk: VALUE
session_secret: VALUE
storage_encryption_key: VALUE
nomad/jobs/backup:
backup_passphrase: VALUE
mysql_stunnel_psk: VALUE
nas_ftp_host: VALUE
nas_ftp_pass: VALUE
nas_ftp_user: VALUE
nomad/jobs/backup-oneoff-n1:
backup_passphrase: VALUE
mysql_stunnel_psk: VALUE
nas_ftp_host: VALUE
nas_ftp_pass: VALUE
nas_ftp_user: VALUE
nomad/jobs/backup-oneoff-n2:
backup_passphrase: VALUE
mysql_stunnel_psk: VALUE
nas_ftp_host: VALUE
nas_ftp_pass: VALUE
nas_ftp_user: VALUE
nomad/jobs/backup-oneoff-pi4:
backup_passphrase: VALUE
mysql_stunnel_psk: VALUE
nas_ftp_host: VALUE
nas_ftp_pass: VALUE
nas_ftp_user: VALUE
nomad/jobs/blocky:
db_name: VALUE
db_pass: VALUE
db_user: VALUE
mappings: VALUE
whitelists_ads: VALUE
nomad/jobs/blocky/blocky/stunnel:
mysql_stunnel_psk: VALUE
redis_stunnel_psk: VALUE
nomad/jobs/ddclient:
domain: VALUE
domain_ddclient: VALUE
zone: VALUE
nomad/jobs/diun:
slack_hook_url: VALUE
nomad/jobs/gitea:
db_name: VALUE
db_pass: VALUE
db_user: VALUE
secret_key: VALUE
nomad/jobs/grafana:
admin_pw: VALUE
alert_email_addresses: VALUE
db_name: VALUE
db_pass: VALUE
db_pass_ro: VALUE
db_user: VALUE
db_user_ro: VALUE
minio_access_key: VALUE
minio_secret_key: VALUE
oidc_secret: VALUE
slack_bot_token: VALUE
slack_bot_url: VALUE
slack_hook_url: VALUE
smtp_password: VALUE
smtp_user: VALUE
nomad/jobs/grafana/grafana/stunnel:
mysql_stunnel_psk: VALUE
nomad/jobs/immich:
db_name: VALUE
db_pass: VALUE
db_user: VALUE
nomad/jobs/ipdvr/bazarr:
db_pass: VALUE
db_user: VALUE
nomad/jobs/ipdvr/bazarr/bootstrap:
superuser: VALUE
superuser_pass: VALUE
nomad/jobs/ipdvr/lidarr:
db_pass: VALUE
db_user: VALUE
nomad/jobs/ipdvr/lidarr/bootstrap:
superuser: VALUE
superuser_pass: VALUE
nomad/jobs/ipdvr/radarr:
db_pass: VALUE
db_user: VALUE
nomad/jobs/ipdvr/radarr/bootstrap:
superuser: VALUE
superuser_pass: VALUE
nomad/jobs/lldap:
admin_email: VALUE
admin_password: VALUE
admin_user: VALUE
db_name: VALUE
db_pass: VALUE
db_user: VALUE
jwt_secret: VALUE
key_seed: VALUE
smtp_from: VALUE
smtp_reply_to: VALUE
nomad/jobs/lldap/lldap/bootstrap:
mysql_root_password: VALUE
nomad/jobs/lldap/lldap/stunnel:
allowed_psks: VALUE
mysql_stunnel_psk: VALUE
nomad/jobs/minitor:
mailgun_api_key: VALUE
nomad/jobs/mysql-server:
allowed_psks: VALUE
root_password: VALUE
nomad/jobs/photoprism:
admin_password: VALUE
admin_user: VALUE
db_name: VALUE
db_pass: VALUE
db_user: VALUE
mysql_stunnel_psk: VALUE
nomad/jobs/postgres-server:
superuser: VALUE
superuser_pass: VALUE
nomad/jobs/redis-authelia:
allowed_psks: VALUE
nomad/jobs/redis-blocky:
allowed_psks: VALUE
nomad/jobs/rediscommander:
redis_stunnel_psk: VALUE
nomad/jobs/traefik:
acme_email: VALUE
domain_lego_dns: VALUE
usersfile: VALUE
nomad/oidc:
secret: VALUE
secrets/mysql:
mysql_root_password: VALUE
secrets/postgres:
superuser: VALUE
superuser_pass: VALUE
secrets/smtp:
password: VALUE
port: VALUE
server: VALUE
tls: VALUE
user: VALUE

View File

@ -1,23 +0,0 @@
# Example map of vault values to bootstrap
# These should be encrypted with Ansible Vault if actually stored here
hashi_vault_values:
nextcloud:
db_name: nextcloud
# Eventually replace this with dynamic secrets from Hashicorp Vault
db_user: nextcloud
db_pass: nextcloud
mysql:
root_password: supersecretpassword
slack:
bot_url: ...
bot_token: ...
hook_url: ...
grafana:
alert_email_addresses: email@example.com
backups:
backup_passphrase: tellnoone
vault_userpass:
- name: admin
password: foo
policies: default

View File

@ -1,4 +1,5 @@
#! /usr/bin/env python3 #! /usr/bin/env python3
import sys
import yaml import yaml
from nomad import Nomad from nomad import Nomad
@ -25,7 +26,24 @@ def write_nomad():
) )
def print_sample():
clean_vars = {}
with open("./ansible_playbooks/vars/nomad_vars.yml") as f:
vars = yaml.load(f, yaml.CLoader)
for path, items in vars.items():
if items == "DELETE":
continue
else:
clean_vars[path] = {k: "VALUE" for k in items}
print(yaml.dump(clean_vars))
def main(): def main():
if len(sys.argv) > 1 and sys.argv[1] == "print":
print_sample()
else:
write_nomad() write_nomad()