Use vault for backups jobs
This commit is contained in:
parent
29946a4df6
commit
f460f890da
@ -10,6 +10,7 @@ job "backup" {
|
|||||||
constraint {
|
constraint {
|
||||||
attribute = "${node.unique.name}"
|
attribute = "${node.unique.name}"
|
||||||
# Only node with a backup job so far
|
# Only node with a backup job so far
|
||||||
|
# Remove when backing up all nodes
|
||||||
value = "n2"
|
value = "n2"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -85,19 +86,36 @@ job "backup" {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
vault {
|
||||||
|
policies = [
|
||||||
|
"access-tables",
|
||||||
|
"nomad-task",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
env = {
|
env = {
|
||||||
"MYSQL_HOST" = "${NOMAD_UPSTREAM_IP_mysql_server}"
|
"MYSQL_HOST" = "${NOMAD_UPSTREAM_IP_mysql_server}"
|
||||||
"MYSQL_PORT" = "${NOMAD_UPSTREAM_PORT_mysql_server}"
|
"MYSQL_PORT" = "${NOMAD_UPSTREAM_PORT_mysql_server}"
|
||||||
# TODO: Add user with access to all databases or variables for each user
|
|
||||||
"MYSQL_DATABASE" = "nextcloud"
|
|
||||||
"MYSQL_USER" = "nextcloud"
|
|
||||||
"MYSQL_PASSWORD" = "nextcloud"
|
|
||||||
|
|
||||||
# TODO: Something from vault
|
|
||||||
"BACKUP_PASSPHRASE" = "secretpass"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
|
# Probably want to use database credentials that have access to dump all tables
|
||||||
|
data = <<EOF
|
||||||
|
{{ with secret "kv/data/nextcloud" }}
|
||||||
|
MYSQL_DATABASE={{ .Data.data.db_name }}
|
||||||
|
MYSQL_USER={{ .Data.data.db_user }}
|
||||||
|
MYSQL_PASSWORD={{ .Data.data.db_pass }}
|
||||||
|
{{ end }}
|
||||||
|
{{ with secret "kv/data/backups" }}
|
||||||
|
BACKUP_PASSPHRASE={{ .Data.data.backup_passphrase }}
|
||||||
|
{{ end }}
|
||||||
|
EOF
|
||||||
|
destination = "secrets/db.env"
|
||||||
|
env = true
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
# Build jobs based on node
|
||||||
data = <<EOF
|
data = <<EOF
|
||||||
# Current node is {{ env "node.unique.name" }}
|
# Current node is {{ env "node.unique.name" }}
|
||||||
{{ range service "nextcloud" }}
|
{{ range service "nextcloud" }}
|
||||||
|
@ -1,10 +1,11 @@
|
|||||||
|
# Example map of vault values to bootstrap
|
||||||
|
# These should be encrypted with Ansible Vault if actually stored here
|
||||||
hashi_vault_values:
|
hashi_vault_values:
|
||||||
nextcloud:
|
nextcloud:
|
||||||
db_name: nextcloud
|
db_name: nextcloud
|
||||||
|
# Eventually replace this with dynamic secrets from Hashicorp Vault
|
||||||
db_user: nextcloud
|
db_user: nextcloud
|
||||||
# Currently it's nextcloud as well
|
db_pass: nextcloud
|
||||||
db_pass: password
|
|
||||||
backup_passphrase: shhh_imma_secret
|
|
||||||
mysql:
|
mysql:
|
||||||
root_password: supersecretpassword
|
root_password: supersecretpassword
|
||||||
slack:
|
slack:
|
||||||
@ -13,3 +14,5 @@ hashi_vault_values:
|
|||||||
hook_url: ...
|
hook_url: ...
|
||||||
grafana:
|
grafana:
|
||||||
alert_email_addresses: email@example.com
|
alert_email_addresses: email@example.com
|
||||||
|
backups:
|
||||||
|
backup_passphrase: tellnoone
|
||||||
|
Loading…
Reference in New Issue
Block a user