From f460f890daa4a7b6a33f28392c2b73413a31b400 Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Thu, 21 Jul 2022 19:03:40 -0700
Subject: [PATCH] Use vault for backups jobs

---
 backups/backup.nomad         | 32 +++++++++++++++++++++++++-------
 vault_hashi_vault_values.yml |  9 ++++++---
 2 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/backups/backup.nomad b/backups/backup.nomad
index b23d3f9..09d5b68 100644
--- a/backups/backup.nomad
+++ b/backups/backup.nomad
@@ -10,6 +10,7 @@ job "backup" {
   constraint {
     attribute = "${node.unique.name}"
     # Only node with a backup job so far
+    # Remove when backing up all nodes
     value = "n2"
   }
 
@@ -85,19 +86,36 @@ job "backup" {
         }
       }
 
+      vault {
+        policies = [
+          "access-tables",
+          "nomad-task",
+        ]
+      }
+
       env = {
         "MYSQL_HOST" = "${NOMAD_UPSTREAM_IP_mysql_server}"
         "MYSQL_PORT" = "${NOMAD_UPSTREAM_PORT_mysql_server}"
-        # TODO: Add user with access to all databases or variables for each user
-        "MYSQL_DATABASE" = "nextcloud"
-        "MYSQL_USER" = "nextcloud"
-        "MYSQL_PASSWORD" = "nextcloud"
-
-        # TODO: Something from vault
-        "BACKUP_PASSPHRASE" = "secretpass"
       }
 
       template {
+        # Probably want to use database credentials that have access to dump all tables
+        data = <<EOF
+{{ with secret "kv/data/nextcloud" }}
+MYSQL_DATABASE={{ .Data.data.db_name }}
+MYSQL_USER={{ .Data.data.db_user }}
+MYSQL_PASSWORD={{ .Data.data.db_pass }}
+{{ end }}
+{{ with secret "kv/data/backups" }}
+BACKUP_PASSPHRASE={{ .Data.data.backup_passphrase }}
+{{ end }}
+        EOF
+        destination = "secrets/db.env"
+        env = true
+      }
+
+      template {
+        # Build jobs based on node
         data = <<EOF
 # Current node is {{ env "node.unique.name" }}
 {{ range service "nextcloud" }}
diff --git a/vault_hashi_vault_values.yml b/vault_hashi_vault_values.yml
index 63e191c..df367f3 100644
--- a/vault_hashi_vault_values.yml
+++ b/vault_hashi_vault_values.yml
@@ -1,10 +1,11 @@
+# Example map of vault values to bootstrap
+# These should be encrypted with Ansible Vault if actually stored here
 hashi_vault_values:
   nextcloud:
     db_name: nextcloud
+    # Eventually replace this with dynamic secrets from Hashicorp Vault
     db_user: nextcloud
-    # Currently it's nextcloud as well
-    db_pass: password
-    backup_passphrase: shhh_imma_secret
+    db_pass: nextcloud
   mysql:
     root_password: supersecretpassword
   slack:
@@ -13,3 +14,5 @@ hashi_vault_values:
     hook_url: ...
   grafana:
     alert_email_addresses: email@example.com
+  backups:
+    backup_passphrase: tellnoone