Use vault for backups jobs

2022-07-21 19:03:40 -07:00 · 2022-07-21 19:03:40 -07:00 · f460f890da
commit f460f890da
parent 29946a4df6
2 changed files with 31 additions and 10 deletions
--- a/backups/backup.nomad
+++ b/backups/backup.nomad
@ -10,6 +10,7 @@ job "backup" {
  constraint {
    attribute = "${node.unique.name}"
    # Only node with a backup job so far
+    # Remove when backing up all nodes
    value = "n2"
  }

@ -85,19 +86,36 @@ job "backup" {
        }
      }

+      vault {
+        policies = [
+          "access-tables",
+          "nomad-task",
+        ]
+      }
+
      env = {
        "MYSQL_HOST" = "${NOMAD_UPSTREAM_IP_mysql_server}"
        "MYSQL_PORT" = "${NOMAD_UPSTREAM_PORT_mysql_server}"
-        # TODO: Add user with access to all databases or variables for each user
-        "MYSQL_DATABASE" = "nextcloud"
-        "MYSQL_USER" = "nextcloud"
-        "MYSQL_PASSWORD" = "nextcloud"
-
-        # TODO: Something from vault
-        "BACKUP_PASSPHRASE" = "secretpass"
      }

      template {
+        # Probably want to use database credentials that have access to dump all tables
+        data = <<EOF
+{{ with secret "kv/data/nextcloud" }}
+MYSQL_DATABASE={{ .Data.data.db_name }}
+MYSQL_USER={{ .Data.data.db_user }}
+MYSQL_PASSWORD={{ .Data.data.db_pass }}
+{{ end }}
+{{ with secret "kv/data/backups" }}
+BACKUP_PASSPHRASE={{ .Data.data.backup_passphrase }}
+{{ end }}
+        EOF
+        destination = "secrets/db.env"
+        env = true
+      }
+
+      template {
+        # Build jobs based on node
        data = <<EOF
 # Current node is {{ env "node.unique.name" }}
 {{ range service "nextcloud" }}
--- a/vault_hashi_vault_values.yml
+++ b/vault_hashi_vault_values.yml
@ -1,10 +1,11 @@
+# Example map of vault values to bootstrap
+# These should be encrypted with Ansible Vault if actually stored here
 hashi_vault_values:
  nextcloud:
    db_name: nextcloud
+    # Eventually replace this with dynamic secrets from Hashicorp Vault
    db_user: nextcloud
-    # Currently it's nextcloud as well
-    db_pass: password
-    backup_passphrase: shhh_imma_secret
+    db_pass: nextcloud
  mysql:
    root_password: supersecretpassword
  slack:
@ -13,3 +14,5 @@ hashi_vault_values:
    hook_url: ...
  grafana:
    alert_email_addresses: email@example.com
+  backups:
+    backup_passphrase: tellnoone