From bc87688f1a0fd63fe4de00f2dad4545f79b1ac0a Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Tue, 16 Jan 2024 14:14:39 -0800
Subject: [PATCH] Move ldap secrets

---
 ansible_playbooks/vars/nomad_vars.sample.yml |  9 ++---
 core/authelia.tf                             | 39 ++++++++++++++++++-
 core/authelia.yml                            |  4 +-
 databases/lldap.nomad                        |  6 ++-
 databases/lldap.tf                           | 40 ++++++++++----------
 5 files changed, 69 insertions(+), 29 deletions(-)

diff --git a/ansible_playbooks/vars/nomad_vars.sample.yml b/ansible_playbooks/vars/nomad_vars.sample.yml
index 207a197..6d89192 100644
--- a/ansible_playbooks/vars/nomad_vars.sample.yml
+++ b/ansible_playbooks/vars/nomad_vars.sample.yml
@@ -9,8 +9,6 @@ nomad/jobs/authelia:
   db_user: VALUE
   email_sender: VALUE
   jwt_secret: VALUE
-  lldap_admin_password: VALUE
-  lldap_admin_user: VALUE
   oidc_clients: VALUE
   oidc_hmac_secret: VALUE
   oidc_issuer_certificate_chain: VALUE
@@ -104,9 +102,6 @@ nomad/jobs/lidarr:
   db_pass: VALUE
   db_user: VALUE
 nomad/jobs/lldap:
-  admin_email: VALUE
-  admin_password: VALUE
-  admin_user: VALUE
   db_name: VALUE
   db_pass: VALUE
   db_user: VALUE
@@ -140,6 +135,10 @@ nomad/jobs/unifi-traffic-route-ips:
   unifi_username: VALUE
 nomad/oidc:
   secret: VALUE
+secrets/ldap:
+  admin_email: VALUE
+  admin_password: VALUE
+  admin_user: VALUE
 secrets/mysql:
   mysql_root_password: VALUE
 secrets/postgres:
diff --git a/core/authelia.tf b/core/authelia.tf
index e7f00a9..aeda0db 100644
--- a/core/authelia.tf
+++ b/core/authelia.tf
@@ -49,7 +49,7 @@ module "authelia" {
       mount = false
     },
     {
-      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .lldap_admin_password }}{{ end }}"
+      data        = "{{ with nomadVar \"secrets/ldap\" }}{{ .admin_password }}{{ end }}"
       dest_prefix = "$${NOMAD_SECRETS_DIR}"
       dest        = "ldap_password.txt"
       mount       = false
@@ -105,6 +105,43 @@ module "authelia" {
   ]
 }
 
+resource "nomad_acl_policy" "authelia" {
+  name        = "authelia"
+  description = "Give access to shared authelia variables"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "authelia/*" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = module.authelia.job_id
+  }
+}
+
+# Give access to ldap secrets
+resource "nomad_acl_policy" "authelia_ldap_secrets" {
+  name        = "authelia-secrets-ldap"
+  description = "Give access to LDAP secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/ldap" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = module.authelia.job_id
+  }
+}
+
 resource "nomad_acl_auth_method" "nomad_authelia" {
   name           = "authelia"
   type           = "OIDC"
diff --git a/core/authelia.yml b/core/authelia.yml
index 4e693aa..cabce0c 100644
--- a/core/authelia.yml
+++ b/core/authelia.yml
@@ -89,8 +89,8 @@ authentication_backend:
     groups_filter: (member={dn})
 
     ## The username and password of the admin user.
-    {{ with nomadVar "nomad/jobs/authelia" }}
-    user: uid={{ .lldap_admin_user }},ou=people,{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
+    {{ with nomadVar "secrets/ldap" }}
+    user: uid={{ .admin_user }},ou=people,{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
     {{ end }}
     # password set using secrets file
     # password: <secret>
diff --git a/databases/lldap.nomad b/databases/lldap.nomad
index 434bff8..876066c 100644
--- a/databases/lldap.nomad
+++ b/databases/lldap.nomad
@@ -70,10 +70,12 @@ job "lldap" {
         data = <<EOH
 ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}"
 
-{{ with nomadVar "nomad/jobs/lldap" -}}
+{{ with nomadVar "secrets/ldap" -}}
 ldap_user_dn = "{{ .admin_user }}"
 ldap_user_email = "{{ .admin_email }}"
+{{ end -}}
 
+{{ with nomadVar "nomad/jobs/lldap" -}}
 [smtp_options]
 from = "{{ .smtp_from }}"
 reply_to = "{{ .smtp_reply_to }}"
@@ -109,7 +111,7 @@ user = "{{ .user }}"
       }
 
       template {
-        data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .admin_password }}{{ end }}"
+        data = "{{ with nomadVar \"secrets/ldap\" }}{{ .admin_password }}{{ end }}"
         destination = "$${NOMAD_SECRETS_DIR}/user_pass.txt"
         change_mode = "restart"
       }
diff --git a/databases/lldap.tf b/databases/lldap.tf
index 3f969ef..4381de8 100644
--- a/databases/lldap.tf
+++ b/databases/lldap.tf
@@ -9,6 +9,27 @@ resource "nomad_job" "lldap" {
   detach = false
 }
 
+# Give access to ldap secrets
+resource "nomad_acl_policy" "lldap_ldap_secrets" {
+  name        = "lldap-secrets-ldap"
+  description = "Give access to LDAP secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/ldap" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = resource.nomad_job.lldap.id
+    group  = "lldap"
+    task   = "lldap"
+  }
+}
+
 # Give access to smtp secrets
 resource "nomad_acl_policy" "lldap_smtp_secrets" {
   name        = "lldap-secrets-smtp"
@@ -82,22 +103,3 @@ EOH
     task   = "stunnel"
   }
 }
-
-# Give access to all ldap secrets
-resource "nomad_acl_policy" "secrets_ldap" {
-  name        = "secrets-ldap"
-  description = "Give access to Postgres secrets"
-  rules_hcl   = <<EOH
-namespace "default" {
-  variables {
-    path "secrets/ldap/*" {
-      capabilities = ["read"]
-    }
-  }
-}
-EOH
-
-  job_acl {
-    job_id = resource.nomad_job.lldap.id
-  }
-}