Move ldap secrets
This commit is contained in:
parent
3491c1f679
commit
bc87688f1a
|
|
@ -9,8 +9,6 @@ nomad/jobs/authelia:
|
||||||
db_user: VALUE
|
db_user: VALUE
|
||||||
email_sender: VALUE
|
email_sender: VALUE
|
||||||
jwt_secret: VALUE
|
jwt_secret: VALUE
|
||||||
lldap_admin_password: VALUE
|
|
||||||
lldap_admin_user: VALUE
|
|
||||||
oidc_clients: VALUE
|
oidc_clients: VALUE
|
||||||
oidc_hmac_secret: VALUE
|
oidc_hmac_secret: VALUE
|
||||||
oidc_issuer_certificate_chain: VALUE
|
oidc_issuer_certificate_chain: VALUE
|
||||||
|
|
@ -104,9 +102,6 @@ nomad/jobs/lidarr:
|
||||||
db_pass: VALUE
|
db_pass: VALUE
|
||||||
db_user: VALUE
|
db_user: VALUE
|
||||||
nomad/jobs/lldap:
|
nomad/jobs/lldap:
|
||||||
admin_email: VALUE
|
|
||||||
admin_password: VALUE
|
|
||||||
admin_user: VALUE
|
|
||||||
db_name: VALUE
|
db_name: VALUE
|
||||||
db_pass: VALUE
|
db_pass: VALUE
|
||||||
db_user: VALUE
|
db_user: VALUE
|
||||||
|
|
@ -140,6 +135,10 @@ nomad/jobs/unifi-traffic-route-ips:
|
||||||
unifi_username: VALUE
|
unifi_username: VALUE
|
||||||
nomad/oidc:
|
nomad/oidc:
|
||||||
secret: VALUE
|
secret: VALUE
|
||||||
|
secrets/ldap:
|
||||||
|
admin_email: VALUE
|
||||||
|
admin_password: VALUE
|
||||||
|
admin_user: VALUE
|
||||||
secrets/mysql:
|
secrets/mysql:
|
||||||
mysql_root_password: VALUE
|
mysql_root_password: VALUE
|
||||||
secrets/postgres:
|
secrets/postgres:
|
||||||
|
|
|
||||||
|
|
@ -49,7 +49,7 @@ module "authelia" {
|
||||||
mount = false
|
mount = false
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .lldap_admin_password }}{{ end }}"
|
data = "{{ with nomadVar \"secrets/ldap\" }}{{ .admin_password }}{{ end }}"
|
||||||
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||||
dest = "ldap_password.txt"
|
dest = "ldap_password.txt"
|
||||||
mount = false
|
mount = false
|
||||||
|
|
@ -105,6 +105,43 @@ module "authelia" {
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "nomad_acl_policy" "authelia" {
|
||||||
|
name = "authelia"
|
||||||
|
description = "Give access to shared authelia variables"
|
||||||
|
rules_hcl = <<EOH
|
||||||
|
namespace "default" {
|
||||||
|
variables {
|
||||||
|
path "authelia/*" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
|
||||||
|
job_acl {
|
||||||
|
job_id = module.authelia.job_id
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Give access to ldap secrets
|
||||||
|
resource "nomad_acl_policy" "authelia_ldap_secrets" {
|
||||||
|
name = "authelia-secrets-ldap"
|
||||||
|
description = "Give access to LDAP secrets"
|
||||||
|
rules_hcl = <<EOH
|
||||||
|
namespace "default" {
|
||||||
|
variables {
|
||||||
|
path "secrets/ldap" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
|
||||||
|
job_acl {
|
||||||
|
job_id = module.authelia.job_id
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
resource "nomad_acl_auth_method" "nomad_authelia" {
|
resource "nomad_acl_auth_method" "nomad_authelia" {
|
||||||
name = "authelia"
|
name = "authelia"
|
||||||
type = "OIDC"
|
type = "OIDC"
|
||||||
|
|
|
||||||
|
|
@ -89,8 +89,8 @@ authentication_backend:
|
||||||
groups_filter: (member={dn})
|
groups_filter: (member={dn})
|
||||||
|
|
||||||
## The username and password of the admin user.
|
## The username and password of the admin user.
|
||||||
{{ with nomadVar "nomad/jobs/authelia" }}
|
{{ with nomadVar "secrets/ldap" }}
|
||||||
user: uid={{ .lldap_admin_user }},ou=people,{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
|
user: uid={{ .admin_user }},ou=people,{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
# password set using secrets file
|
# password set using secrets file
|
||||||
# password: <secret>
|
# password: <secret>
|
||||||
|
|
|
||||||
|
|
@ -70,10 +70,12 @@ job "lldap" {
|
||||||
data = <<EOH
|
data = <<EOH
|
||||||
ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}"
|
ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}"
|
||||||
|
|
||||||
{{ with nomadVar "nomad/jobs/lldap" -}}
|
{{ with nomadVar "secrets/ldap" -}}
|
||||||
ldap_user_dn = "{{ .admin_user }}"
|
ldap_user_dn = "{{ .admin_user }}"
|
||||||
ldap_user_email = "{{ .admin_email }}"
|
ldap_user_email = "{{ .admin_email }}"
|
||||||
|
{{ end -}}
|
||||||
|
|
||||||
|
{{ with nomadVar "nomad/jobs/lldap" -}}
|
||||||
[smtp_options]
|
[smtp_options]
|
||||||
from = "{{ .smtp_from }}"
|
from = "{{ .smtp_from }}"
|
||||||
reply_to = "{{ .smtp_reply_to }}"
|
reply_to = "{{ .smtp_reply_to }}"
|
||||||
|
|
@ -109,7 +111,7 @@ user = "{{ .user }}"
|
||||||
}
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .admin_password }}{{ end }}"
|
data = "{{ with nomadVar \"secrets/ldap\" }}{{ .admin_password }}{{ end }}"
|
||||||
destination = "$${NOMAD_SECRETS_DIR}/user_pass.txt"
|
destination = "$${NOMAD_SECRETS_DIR}/user_pass.txt"
|
||||||
change_mode = "restart"
|
change_mode = "restart"
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,27 @@ resource "nomad_job" "lldap" {
|
||||||
detach = false
|
detach = false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Give access to ldap secrets
|
||||||
|
resource "nomad_acl_policy" "lldap_ldap_secrets" {
|
||||||
|
name = "lldap-secrets-ldap"
|
||||||
|
description = "Give access to LDAP secrets"
|
||||||
|
rules_hcl = <<EOH
|
||||||
|
namespace "default" {
|
||||||
|
variables {
|
||||||
|
path "secrets/ldap" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
|
||||||
|
job_acl {
|
||||||
|
job_id = resource.nomad_job.lldap.id
|
||||||
|
group = "lldap"
|
||||||
|
task = "lldap"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# Give access to smtp secrets
|
# Give access to smtp secrets
|
||||||
resource "nomad_acl_policy" "lldap_smtp_secrets" {
|
resource "nomad_acl_policy" "lldap_smtp_secrets" {
|
||||||
name = "lldap-secrets-smtp"
|
name = "lldap-secrets-smtp"
|
||||||
|
|
@ -82,22 +103,3 @@ EOH
|
||||||
task = "stunnel"
|
task = "stunnel"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Give access to all ldap secrets
|
|
||||||
resource "nomad_acl_policy" "secrets_ldap" {
|
|
||||||
name = "secrets-ldap"
|
|
||||||
description = "Give access to Postgres secrets"
|
|
||||||
rules_hcl = <<EOH
|
|
||||||
namespace "default" {
|
|
||||||
variables {
|
|
||||||
path "secrets/ldap/*" {
|
|
||||||
capabilities = ["read"]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
EOH
|
|
||||||
|
|
||||||
job_acl {
|
|
||||||
job_id = resource.nomad_job.lldap.id
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue