Move ldap secrets
This commit is contained in:
parent
3491c1f679
commit
bc87688f1a
|
|
@ -9,8 +9,6 @@ nomad/jobs/authelia:
|
|||
db_user: VALUE
|
||||
email_sender: VALUE
|
||||
jwt_secret: VALUE
|
||||
lldap_admin_password: VALUE
|
||||
lldap_admin_user: VALUE
|
||||
oidc_clients: VALUE
|
||||
oidc_hmac_secret: VALUE
|
||||
oidc_issuer_certificate_chain: VALUE
|
||||
|
|
@ -104,9 +102,6 @@ nomad/jobs/lidarr:
|
|||
db_pass: VALUE
|
||||
db_user: VALUE
|
||||
nomad/jobs/lldap:
|
||||
admin_email: VALUE
|
||||
admin_password: VALUE
|
||||
admin_user: VALUE
|
||||
db_name: VALUE
|
||||
db_pass: VALUE
|
||||
db_user: VALUE
|
||||
|
|
@ -140,6 +135,10 @@ nomad/jobs/unifi-traffic-route-ips:
|
|||
unifi_username: VALUE
|
||||
nomad/oidc:
|
||||
secret: VALUE
|
||||
secrets/ldap:
|
||||
admin_email: VALUE
|
||||
admin_password: VALUE
|
||||
admin_user: VALUE
|
||||
secrets/mysql:
|
||||
mysql_root_password: VALUE
|
||||
secrets/postgres:
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ module "authelia" {
|
|||
mount = false
|
||||
},
|
||||
{
|
||||
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .lldap_admin_password }}{{ end }}"
|
||||
data = "{{ with nomadVar \"secrets/ldap\" }}{{ .admin_password }}{{ end }}"
|
||||
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||
dest = "ldap_password.txt"
|
||||
mount = false
|
||||
|
|
@ -105,6 +105,43 @@ module "authelia" {
|
|||
]
|
||||
}
|
||||
|
||||
resource "nomad_acl_policy" "authelia" {
|
||||
name = "authelia"
|
||||
description = "Give access to shared authelia variables"
|
||||
rules_hcl = <<EOH
|
||||
namespace "default" {
|
||||
variables {
|
||||
path "authelia/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
}
|
||||
}
|
||||
EOH
|
||||
|
||||
job_acl {
|
||||
job_id = module.authelia.job_id
|
||||
}
|
||||
}
|
||||
|
||||
# Give access to ldap secrets
|
||||
resource "nomad_acl_policy" "authelia_ldap_secrets" {
|
||||
name = "authelia-secrets-ldap"
|
||||
description = "Give access to LDAP secrets"
|
||||
rules_hcl = <<EOH
|
||||
namespace "default" {
|
||||
variables {
|
||||
path "secrets/ldap" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
}
|
||||
}
|
||||
EOH
|
||||
|
||||
job_acl {
|
||||
job_id = module.authelia.job_id
|
||||
}
|
||||
}
|
||||
|
||||
resource "nomad_acl_auth_method" "nomad_authelia" {
|
||||
name = "authelia"
|
||||
type = "OIDC"
|
||||
|
|
|
|||
|
|
@ -89,8 +89,8 @@ authentication_backend:
|
|||
groups_filter: (member={dn})
|
||||
|
||||
## The username and password of the admin user.
|
||||
{{ with nomadVar "nomad/jobs/authelia" }}
|
||||
user: uid={{ .lldap_admin_user }},ou=people,{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
|
||||
{{ with nomadVar "secrets/ldap" }}
|
||||
user: uid={{ .admin_user }},ou=people,{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
|
||||
{{ end }}
|
||||
# password set using secrets file
|
||||
# password: <secret>
|
||||
|
|
|
|||
|
|
@ -70,10 +70,12 @@ job "lldap" {
|
|||
data = <<EOH
|
||||
ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}"
|
||||
|
||||
{{ with nomadVar "nomad/jobs/lldap" -}}
|
||||
{{ with nomadVar "secrets/ldap" -}}
|
||||
ldap_user_dn = "{{ .admin_user }}"
|
||||
ldap_user_email = "{{ .admin_email }}"
|
||||
{{ end -}}
|
||||
|
||||
{{ with nomadVar "nomad/jobs/lldap" -}}
|
||||
[smtp_options]
|
||||
from = "{{ .smtp_from }}"
|
||||
reply_to = "{{ .smtp_reply_to }}"
|
||||
|
|
@ -109,7 +111,7 @@ user = "{{ .user }}"
|
|||
}
|
||||
|
||||
template {
|
||||
data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .admin_password }}{{ end }}"
|
||||
data = "{{ with nomadVar \"secrets/ldap\" }}{{ .admin_password }}{{ end }}"
|
||||
destination = "$${NOMAD_SECRETS_DIR}/user_pass.txt"
|
||||
change_mode = "restart"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,6 +9,27 @@ resource "nomad_job" "lldap" {
|
|||
detach = false
|
||||
}
|
||||
|
||||
# Give access to ldap secrets
|
||||
resource "nomad_acl_policy" "lldap_ldap_secrets" {
|
||||
name = "lldap-secrets-ldap"
|
||||
description = "Give access to LDAP secrets"
|
||||
rules_hcl = <<EOH
|
||||
namespace "default" {
|
||||
variables {
|
||||
path "secrets/ldap" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
}
|
||||
}
|
||||
EOH
|
||||
|
||||
job_acl {
|
||||
job_id = resource.nomad_job.lldap.id
|
||||
group = "lldap"
|
||||
task = "lldap"
|
||||
}
|
||||
}
|
||||
|
||||
# Give access to smtp secrets
|
||||
resource "nomad_acl_policy" "lldap_smtp_secrets" {
|
||||
name = "lldap-secrets-smtp"
|
||||
|
|
@ -82,22 +103,3 @@ EOH
|
|||
task = "stunnel"
|
||||
}
|
||||
}
|
||||
|
||||
# Give access to all ldap secrets
|
||||
resource "nomad_acl_policy" "secrets_ldap" {
|
||||
name = "secrets-ldap"
|
||||
description = "Give access to Postgres secrets"
|
||||
rules_hcl = <<EOH
|
||||
namespace "default" {
|
||||
variables {
|
||||
path "secrets/ldap/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
}
|
||||
}
|
||||
EOH
|
||||
|
||||
job_acl {
|
||||
job_id = resource.nomad_job.lldap.id
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue