Add Nomad var example and remove old examples

.secrets-baseline

@@ -75,10 +75,6 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
-    {
-      "path": "detect_secrets.filters.common.is_baseline_file",
-      "filename": ".secrets-baseline"
-    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -113,7 +109,7 @@
     {
       "path": "detect_secrets.filters.regex.should_exclude_secret",
       "pattern": [
-        "(\\${.*}|from_env|fake|!secret)"
+        "(\\${.*}|from_env|fake|!secret|VALUE)"
       ]
     }
   ],
@@ -124,24 +120,21 @@
         "filename": "ansible_playbooks/vars/vault_hashi_vault_values.example.yml",
         "hashed_secret": "f2baa52d02ca888455ce47823f47bf372d5eecb3",
         "is_verified": false,
-        "line_number": 8,
-        "is_secret": false
+        "line_number": 8
       },
       {
         "type": "Secret Keyword",
         "filename": "ansible_playbooks/vars/vault_hashi_vault_values.example.yml",
         "hashed_secret": "18960546905b75c869e7de63961dc185f9a0a7c9",
         "is_verified": false,
-        "line_number": 10,
-        "is_secret": false
+        "line_number": 10
       },
       {
         "type": "Secret Keyword",
         "filename": "ansible_playbooks/vars/vault_hashi_vault_values.example.yml",
         "hashed_secret": "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33",
         "is_verified": false,
-        "line_number": 22,
-        "is_secret": false
+        "line_number": 22
       }
     ],
     "core/authelia.yml": [
@@ -150,16 +143,14 @@
         "filename": "core/authelia.yml",
         "hashed_secret": "7cb6efb98ba5972a9b5090dc2e517fe14d12cb04",
         "is_verified": false,
-        "line_number": 54,
-        "is_secret": false
+        "line_number": 54
       },
       {
         "type": "Secret Keyword",
         "filename": "core/authelia.yml",
         "hashed_secret": "a32b08d97b1615dc27f58b6b17f67624c04e2c4f",
         "is_verified": false,
-        "line_number": 185,
-        "is_secret": false
+        "line_number": 191
       }
     ],
     "core/metrics/grafana/grafana.ini": [
@@ -168,50 +159,44 @@
         "filename": "core/metrics/grafana/grafana.ini",
         "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4",
         "is_verified": false,
-        "line_number": 78,
-        "is_secret": false
+        "line_number": 78
       },
       {
         "type": "Secret Keyword",
         "filename": "core/metrics/grafana/grafana.ini",
         "hashed_secret": "55ebda65c08313526e7ba08ad733e5ebea9900bd",
         "is_verified": false,
-        "line_number": 109,
-        "is_secret": false
+        "line_number": 109
       },
       {
         "type": "Secret Keyword",
         "filename": "core/metrics/grafana/grafana.ini",
         "hashed_secret": "d033e22ae348aeb5660fc2140aec35850c4da997",
         "is_verified": false,
-        "line_number": 151,
-        "is_secret": false
+        "line_number": 151
       },
       {
         "type": "Secret Keyword",
         "filename": "core/metrics/grafana/grafana.ini",
         "hashed_secret": "10bea62ff1e1a7540dc7a6bc10f5fa992349023f",
         "is_verified": false,
-        "line_number": 154,
-        "is_secret": false
+        "line_number": 154
       },
       {
         "type": "Secret Keyword",
         "filename": "core/metrics/grafana/grafana.ini",
         "hashed_secret": "5718bce97710e6be87ea160b36eaefb5032857d3",
         "is_verified": false,
-        "line_number": 239,
-        "is_secret": false
+        "line_number": 239
       },
       {
         "type": "Secret Keyword",
         "filename": "core/metrics/grafana/grafana.ini",
         "hashed_secret": "10aed9d7ebef778a9b3033dba3f7813b639e0d50",
         "is_verified": false,
-        "line_number": 252,
-        "is_secret": false
+        "line_number": 252
       }
     ]
   },
-  "generated_at": "2023-07-07T23:34:07Z"
+  "generated_at": "2023-07-11T19:43:38Z"
 }

Makefile

@@ -30,8 +30,8 @@ check: $(VENV)
 	$(VENV)/bin/pre-commit run --all-files
 
 # Creates a new secrets baseline
-.secrets-baseline: $(VENV)
-	$(VENV)/bin/detect-secrets scan --exclude-secrets '(\$${.*}|from_env|fake|!secret)' > .secrets-baseline
+.secrets-baseline: $(VENV) Makefile
+	$(VENV)/bin/detect-secrets scan --exclude-secrets '(\$${.*}|from_env|fake|!secret|VALUE)' > .secrets-baseline
 
 # Audits secrets against baseline
 .PHONY: secrets-audit

ansible_playbooks/vars/consul_values.example.yml

@@ -1,4 +0,0 @@
-consul_values:
-  "blocky/whitelists/ads": |
-    - |
-      somedomain.com

ansible_playbooks/vars/nomad_vars.sample.yml

@@ -0,0 +1,168 @@
+nomad/jobs:
+  base_hostname: VALUE
+  db_user_ro: VALUE
+  ldap_base_dn: VALUE
+  mysql_root_password: VALUE
+  notify_email: VALUE
+  smtp_password: VALUE
+  smtp_port: VALUE
+  smtp_server: VALUE
+  smtp_tls: VALUE
+  smtp_user: VALUE
+nomad/jobs/adminer:
+  mysql_stunnel_psk: VALUE
+nomad/jobs/authelia:
+  db_name: VALUE
+  db_pass: VALUE
+  db_user: VALUE
+  email_sender: VALUE
+  jwt_secret: VALUE
+  ldap_stunnel_psk: VALUE
+  lldap_admin_password: VALUE
+  lldap_admin_user: VALUE
+  mysql_stunnel_psk: VALUE
+  oidc_clients: VALUE
+  oidc_hmac_secret: VALUE
+  oidc_issuer_certificate_chain: VALUE
+  oidc_issuer_private_key: VALUE
+  redis_stunnel_psk: VALUE
+  session_secret: VALUE
+  storage_encryption_key: VALUE
+nomad/jobs/backup:
+  backup_passphrase: VALUE
+  mysql_stunnel_psk: VALUE
+  nas_ftp_host: VALUE
+  nas_ftp_pass: VALUE
+  nas_ftp_user: VALUE
+nomad/jobs/backup-oneoff-n1:
+  backup_passphrase: VALUE
+  mysql_stunnel_psk: VALUE
+  nas_ftp_host: VALUE
+  nas_ftp_pass: VALUE
+  nas_ftp_user: VALUE
+nomad/jobs/backup-oneoff-n2:
+  backup_passphrase: VALUE
+  mysql_stunnel_psk: VALUE
+  nas_ftp_host: VALUE
+  nas_ftp_pass: VALUE
+  nas_ftp_user: VALUE
+nomad/jobs/backup-oneoff-pi4:
+  backup_passphrase: VALUE
+  mysql_stunnel_psk: VALUE
+  nas_ftp_host: VALUE
+  nas_ftp_pass: VALUE
+  nas_ftp_user: VALUE
+nomad/jobs/blocky:
+  db_name: VALUE
+  db_pass: VALUE
+  db_user: VALUE
+  mappings: VALUE
+  whitelists_ads: VALUE
+nomad/jobs/blocky/blocky/stunnel:
+  mysql_stunnel_psk: VALUE
+  redis_stunnel_psk: VALUE
+nomad/jobs/ddclient:
+  domain: VALUE
+  domain_ddclient: VALUE
+  zone: VALUE
+nomad/jobs/diun:
+  slack_hook_url: VALUE
+nomad/jobs/gitea:
+  db_name: VALUE
+  db_pass: VALUE
+  db_user: VALUE
+  secret_key: VALUE
+nomad/jobs/grafana:
+  admin_pw: VALUE
+  alert_email_addresses: VALUE
+  db_name: VALUE
+  db_pass: VALUE
+  db_pass_ro: VALUE
+  db_user: VALUE
+  db_user_ro: VALUE
+  minio_access_key: VALUE
+  minio_secret_key: VALUE
+  oidc_secret: VALUE
+  slack_bot_token: VALUE
+  slack_bot_url: VALUE
+  slack_hook_url: VALUE
+  smtp_password: VALUE
+  smtp_user: VALUE
+nomad/jobs/grafana/grafana/stunnel:
+  mysql_stunnel_psk: VALUE
+nomad/jobs/immich:
+  db_name: VALUE
+  db_pass: VALUE
+  db_user: VALUE
+nomad/jobs/ipdvr/bazarr:
+  db_pass: VALUE
+  db_user: VALUE
+nomad/jobs/ipdvr/bazarr/bootstrap:
+  superuser: VALUE
+  superuser_pass: VALUE
+nomad/jobs/ipdvr/lidarr:
+  db_pass: VALUE
+  db_user: VALUE
+nomad/jobs/ipdvr/lidarr/bootstrap:
+  superuser: VALUE
+  superuser_pass: VALUE
+nomad/jobs/ipdvr/radarr:
+  db_pass: VALUE
+  db_user: VALUE
+nomad/jobs/ipdvr/radarr/bootstrap:
+  superuser: VALUE
+  superuser_pass: VALUE
+nomad/jobs/lldap:
+  admin_email: VALUE
+  admin_password: VALUE
+  admin_user: VALUE
+  db_name: VALUE
+  db_pass: VALUE
+  db_user: VALUE
+  jwt_secret: VALUE
+  key_seed: VALUE
+  smtp_from: VALUE
+  smtp_reply_to: VALUE
+nomad/jobs/lldap/lldap/bootstrap:
+  mysql_root_password: VALUE
+nomad/jobs/lldap/lldap/stunnel:
+  allowed_psks: VALUE
+  mysql_stunnel_psk: VALUE
+nomad/jobs/minitor:
+  mailgun_api_key: VALUE
+nomad/jobs/mysql-server:
+  allowed_psks: VALUE
+  root_password: VALUE
+nomad/jobs/photoprism:
+  admin_password: VALUE
+  admin_user: VALUE
+  db_name: VALUE
+  db_pass: VALUE
+  db_user: VALUE
+  mysql_stunnel_psk: VALUE
+nomad/jobs/postgres-server:
+  superuser: VALUE
+  superuser_pass: VALUE
+nomad/jobs/redis-authelia:
+  allowed_psks: VALUE
+nomad/jobs/redis-blocky:
+  allowed_psks: VALUE
+nomad/jobs/rediscommander:
+  redis_stunnel_psk: VALUE
+nomad/jobs/traefik:
+  acme_email: VALUE
+  domain_lego_dns: VALUE
+  usersfile: VALUE
+nomad/oidc:
+  secret: VALUE
+secrets/mysql:
+  mysql_root_password: VALUE
+secrets/postgres:
+  superuser: VALUE
+  superuser_pass: VALUE
+secrets/smtp:
+  password: VALUE
+  port: VALUE
+  server: VALUE
+  tls: VALUE
+  user: VALUE

ansible_playbooks/vars/vault_hashi_vault_values.example.yml

@@ -1,23 +0,0 @@
-# Example map of vault values to bootstrap
-# These should be encrypted with Ansible Vault if actually stored here
-hashi_vault_values:
-  nextcloud:
-    db_name: nextcloud
-    # Eventually replace this with dynamic secrets from Hashicorp Vault
-    db_user: nextcloud
-    db_pass: nextcloud
-  mysql:
-    root_password: supersecretpassword
-  slack:
-    bot_url: ...
-    bot_token: ...
-    hook_url: ...
-  grafana:
-    alert_email_addresses: email@example.com
-  backups:
-    backup_passphrase: tellnoone
-
-vault_userpass:
-  - name: admin
-    password: foo
-    policies: default

nomad_vars.py

@@ -1,4 +1,5 @@
 #! /usr/bin/env python3
+import sys
 import yaml
 from nomad import Nomad
 
@@ -25,8 +26,25 @@ def write_nomad():
                 )
 
 
+def print_sample():
+    clean_vars = {}
+    with open("./ansible_playbooks/vars/nomad_vars.yml") as f:
+        vars = yaml.load(f, yaml.CLoader)
+
+        for path, items in vars.items():
+            if items == "DELETE":
+                continue
+            else:
+                clean_vars[path] = {k: "VALUE" for k in items}
+
+    print(yaml.dump(clean_vars))
+
+
 def main():
-    write_nomad()
+    if len(sys.argv) > 1 and sys.argv[1] == "print":
+        print_sample()
+    else:
+        write_nomad()
 
 
 if __name__ == "__main__":