Add workload ACL management for mysql and postgres access

Allows required jobs to access shared secrets and auto generates psks for stunnel. Currently supporting MySQL, Postgres, and LDAP.
2023-08-29 12:48:48 -07:00 · 2023-08-29 12:48:48 -07:00 · f5898b0283
parent cdba6aa24f
commit f5898b0283
21 changed files with 764 additions and 198 deletions
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@ -2,20 +2,39 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/hashicorp/nomad" {
-  version = "1.4.20"
+  version = "2.0.0"
  hashes = [
-    "h1:M/QVXHPfeySejJZI3I8mBYrL/J9VsbnyF/dKIMlUhXo=",
-    "zh:02989edcebe724fc0aa873b22176fd20074c4f46295e728010711a8fc5dfa72c",
-    "zh:089ba7d19bcf5c6bab3f8b8c5920eb6d78c52cf79bb0c5dfeb411c600e7efcba",
-    "zh:235865a2182ca372bcbf440201a8b8cc0715ad5dbc4de893d99b6f32b5be53ab",
-    "zh:67ea718764f3f344ecc6e027d20c1327b86353c8064aa90da3ec12cec4a88954",
+    "h1:lIHIxA6ZmfyTGL3J9YIddhxlfit4ipSS09BLxkwo6L0=",
+    "zh:09b897d64db293f9a904a4a0849b11ec1e3fff5c638f734d82ae36d8dc044b72",
+    "zh:435cc106799290f64078ec24b6c59cb32b33784d609088638ed32c6d12121199",
+    "zh:7073444bd064e8c4ec115ca7d9d7f030cc56795c0a83c27f6668bba519e6849a",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:8c68c540f0df4980568bdd688c2adec86eda62eb2de154e3db215b16de0a7ae0",
-    "zh:911969c63a69a733be57b96d54c5966c9424e1abec8d5f20038c8cef3a504c65",
-    "zh:a673c92ddc9d47e8d53dcb9b376f1adcb4543488202fc83a3e7eab8677530684",
-    "zh:a94a73eae89fd8c8ebf872013079be41161d3f293f4026c92d45c4c5667dd613",
-    "zh:db6b89f8b696040c0344f00928e4cf6e0a75034421ba14cdcd8a4d23bc865dce",
-    "zh:e512c0b1239e3d66b60d22c2b4de19fea288e492cde90dff9277cc475fd9dbbf",
-    "zh:ef6eccecbdef3bb8ce629cabfb5550c1db5c3e952943dda1786ef6cb470a8c23",
+    "zh:79d238c35d650d2d83a439716182da63f3b2767e72e4cbd0b69cb13d9b1aebfc",
+    "zh:7ef5f49344278fe0bbc5447424e6aa5425ff1821d010d944a444d7fa2c751acf",
+    "zh:92179091638c8ba03feef371c4361a790190f9955caea1fa59de2055c701a251",
+    "zh:a8a34398851761368eb8e7c171f24e55efa6e9fdbb5c455f6dec34dc17f631bc",
+    "zh:b38fd5338625ebace5a4a94cea1a28b11bd91995d834e318f47587cfaf6ec599",
+    "zh:b71b273a2aca7ad5f1e07c767b25b5a888881ba9ca93b30044ccc39c2937f03c",
+    "zh:cd14357e520e0f09fb25badfb4f2ee37d7741afdc3ed47c7bcf54c1683772543",
+    "zh:e05e025f4bb95138c3c8a75c636e97cd7cfd2fc1525b0c8bd097db8c5f02df6e",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.5.1"
+  hashes = [
+    "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
  ]
 }
--- a/ansible_playbooks/vars/nomad_vars.sample.yml
+++ b/ansible_playbooks/vars/nomad_vars.sample.yml
@ -2,16 +2,12 @@ nomad/jobs:
  base_hostname: VALUE
  db_user_ro: VALUE
  ldap_base_dn: VALUE
-  mysql_root_password: VALUE
  notify_email: VALUE
  smtp_password: VALUE
  smtp_port: VALUE
  smtp_server: VALUE
  smtp_tls: VALUE
  smtp_user: VALUE
-nomad/jobs/adminer/adminer/stunnel:
-  mysql_stunnel_psk: VALUE
-  postgres_stunnel_psk: VALUE
 nomad/jobs/authelia:
  db_name: VALUE
  db_pass: VALUE
@ -27,30 +23,24 @@ nomad/jobs/authelia:
  session_secret: VALUE
  storage_encryption_key: VALUE
 nomad/jobs/authelia/authelia/stunnel:
-  ldap_stunnel_psk: VALUE
-  mysql_stunnel_psk: VALUE
  redis_stunnel_psk: VALUE
 nomad/jobs/backup:
  backup_passphrase: VALUE
-  mysql_stunnel_psk: VALUE
  nas_ftp_host: VALUE
  nas_ftp_pass: VALUE
  nas_ftp_user: VALUE
 nomad/jobs/backup-oneoff-n1:
  backup_passphrase: VALUE
-  mysql_stunnel_psk: VALUE
  nas_ftp_host: VALUE
  nas_ftp_pass: VALUE
  nas_ftp_user: VALUE
 nomad/jobs/backup-oneoff-n2:
  backup_passphrase: VALUE
-  mysql_stunnel_psk: VALUE
  nas_ftp_host: VALUE
  nas_ftp_pass: VALUE
  nas_ftp_user: VALUE
 nomad/jobs/backup-oneoff-pi4:
  backup_passphrase: VALUE
-  mysql_stunnel_psk: VALUE
  nas_ftp_host: VALUE
  nas_ftp_pass: VALUE
  nas_ftp_user: VALUE
@ -58,11 +48,6 @@ nomad/jobs/bazarr:
  db_name: VALUE
  db_pass: VALUE
  db_user: VALUE
-nomad/jobs/bazarr/bazarr/postgres-bootstrap:
-  superuser: VALUE
-  superuser_pass: VALUE
-nomad/jobs/bazarr/bazarr/stunnel:
-  postgres_stunnel_psk: VALUE
 nomad/jobs/blocky:
  db_name: VALUE
  db_pass: VALUE
@ -70,7 +55,6 @@ nomad/jobs/blocky:
  mappings: VALUE
  whitelists_ads: VALUE
 nomad/jobs/blocky/blocky/stunnel:
-  mysql_stunnel_psk: VALUE
  redis_stunnel_psk: VALUE
 nomad/jobs/ddclient:
  domain: VALUE
@ -82,11 +66,8 @@ nomad/jobs/git:
  db_name: VALUE
  db_pass: VALUE
  db_user: VALUE
-  mysql_stunnel_psk: VALUE
  secret_key: VALUE
  smtp_sender: VALUE
-nomad/jobs/git/git/stunnel:
-  mysql_stunnel_psk: VALUE
 nomad/jobs/grafana:
  admin_pw: VALUE
  alert_email_addresses: VALUE
@ -103,8 +84,6 @@ nomad/jobs/grafana:
  slack_hook_url: VALUE
  smtp_password: VALUE
  smtp_user: VALUE
-nomad/jobs/grafana/grafana/stunnel:
-  mysql_stunnel_psk: VALUE
 nomad/jobs/immich:
  db_name: VALUE
  db_pass: VALUE
@ -112,18 +91,10 @@ nomad/jobs/immich:
 nomad/jobs/ipdvr/radarr:
  db_pass: VALUE
  db_user: VALUE
-nomad/jobs/ipdvr/radarr/bootstrap:
-  superuser: VALUE
-  superuser_pass: VALUE
 nomad/jobs/lidarr:
  db_name: VALUE
  db_pass: VALUE
  db_user: VALUE
-nomad/jobs/lidarr/lidarr/postgres-bootstrap:
-  superuser: VALUE
-  superuser_pass: VALUE
-nomad/jobs/lidarr/lidarr/stunnel:
-  postgres_stunnel_psk: VALUE
 nomad/jobs/lldap:
  admin_email: VALUE
  admin_password: VALUE
@ -135,30 +106,19 @@ nomad/jobs/lldap:
  key_seed: VALUE
  smtp_from: VALUE
  smtp_reply_to: VALUE
-nomad/jobs/lldap/lldap/bootstrap:
-  mysql_root_password: VALUE
-nomad/jobs/lldap/lldap/stunnel:
-  allowed_psks: VALUE
-  mysql_stunnel_psk: VALUE
 nomad/jobs/minitor:
  mailgun_api_key: VALUE
 nomad/jobs/mysql-server:
-  allowed_psks: VALUE
-  root_password: VALUE
+  mysql_root_password: VALUE
 nomad/jobs/photoprism:
  admin_password: VALUE
  admin_user: VALUE
  db_name: VALUE
  db_pass: VALUE
  db_user: VALUE
-  mysql_stunnel_psk: VALUE
-nomad/jobs/photoprism/photoprism/stunnel:
-  mysql_stunnel_psk: VALUE
 nomad/jobs/postgres-server:
  superuser: VALUE
  superuser_pass: VALUE
-nomad/jobs/postgres-server/postgres-server/stunnel:
-  allowed_psks: VALUE
 nomad/jobs/redis-authelia:
  allowed_psks: VALUE
 nomad/jobs/redis-blocky:
@ -169,12 +129,6 @@ nomad/jobs/traefik:
  acme_email: VALUE
  domain_lego_dns: VALUE
  usersfile: VALUE
-nomad/jobs/tubesync:
-  db_name: VALUE
-  db_pass: VALUE
-  db_user: VALUE
-nomad/jobs/tubesync/tubesync/stunnel:
-  mysql_stunnel_psk: VALUE
 nomad/oidc:
  secret: VALUE
 secrets/mysql:
--- a/backups/.terraform.lock.hcl
+++ b/backups/.terraform.lock.hcl
@ -2,20 +2,39 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/hashicorp/nomad" {
-  version = "1.4.20"
+  version = "2.0.0"
  hashes = [
-    "h1:M/QVXHPfeySejJZI3I8mBYrL/J9VsbnyF/dKIMlUhXo=",
-    "zh:02989edcebe724fc0aa873b22176fd20074c4f46295e728010711a8fc5dfa72c",
-    "zh:089ba7d19bcf5c6bab3f8b8c5920eb6d78c52cf79bb0c5dfeb411c600e7efcba",
-    "zh:235865a2182ca372bcbf440201a8b8cc0715ad5dbc4de893d99b6f32b5be53ab",
-    "zh:67ea718764f3f344ecc6e027d20c1327b86353c8064aa90da3ec12cec4a88954",
+    "h1:lIHIxA6ZmfyTGL3J9YIddhxlfit4ipSS09BLxkwo6L0=",
+    "zh:09b897d64db293f9a904a4a0849b11ec1e3fff5c638f734d82ae36d8dc044b72",
+    "zh:435cc106799290f64078ec24b6c59cb32b33784d609088638ed32c6d12121199",
+    "zh:7073444bd064e8c4ec115ca7d9d7f030cc56795c0a83c27f6668bba519e6849a",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:8c68c540f0df4980568bdd688c2adec86eda62eb2de154e3db215b16de0a7ae0",
-    "zh:911969c63a69a733be57b96d54c5966c9424e1abec8d5f20038c8cef3a504c65",
-    "zh:a673c92ddc9d47e8d53dcb9b376f1adcb4543488202fc83a3e7eab8677530684",
-    "zh:a94a73eae89fd8c8ebf872013079be41161d3f293f4026c92d45c4c5667dd613",
-    "zh:db6b89f8b696040c0344f00928e4cf6e0a75034421ba14cdcd8a4d23bc865dce",
-    "zh:e512c0b1239e3d66b60d22c2b4de19fea288e492cde90dff9277cc475fd9dbbf",
-    "zh:ef6eccecbdef3bb8ce629cabfb5550c1db5c3e952943dda1786ef6cb470a8c23",
+    "zh:79d238c35d650d2d83a439716182da63f3b2767e72e4cbd0b69cb13d9b1aebfc",
+    "zh:7ef5f49344278fe0bbc5447424e6aa5425ff1821d010d944a444d7fa2c751acf",
+    "zh:92179091638c8ba03feef371c4361a790190f9955caea1fa59de2055c701a251",
+    "zh:a8a34398851761368eb8e7c171f24e55efa6e9fdbb5c455f6dec34dc17f631bc",
+    "zh:b38fd5338625ebace5a4a94cea1a28b11bd91995d834e318f47587cfaf6ec599",
+    "zh:b71b273a2aca7ad5f1e07c767b25b5a888881ba9ca93b30044ccc39c2937f03c",
+    "zh:cd14357e520e0f09fb25badfb4f2ee37d7741afdc3ed47c7bcf54c1683772543",
+    "zh:e05e025f4bb95138c3c8a75c636e97cd7cfd2fc1525b0c8bd097db8c5f02df6e",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.5.1"
+  hashes = [
+    "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
  ]
 }
--- a/backups/backup.nomad
+++ b/backups/backup.nomad
@ -90,11 +90,16 @@ job "backup%{ if batch_node != null }-oneoff-${batch_node}%{ endif }" {
        data = <<EOF
 MYSQL_HOST=127.0.0.1
 MYSQL_PORT=3306
-# TODO: Move this to new mysql root pass path
-{{ with nomadVar "nomad/jobs" }}
+{{ with nomadVar "secrets/mysql" }}
 MYSQL_USER=root
 MYSQL_PASSWORD={{ .mysql_root_password }}
 {{ end -}}
+{{ with nomadVar "secrets/postgres" }}
+POSTGRES_HOST=127.0.0.1
+POSTGRES_PORT=5432
+POSTGRES_USER={{ .superuser }}
+POSTGRES_PASSWORD={{ .superuser_password }}
+{{ end -}}
 {{ with nomadVar (print "nomad/jobs/" (index (env "NOMAD_JOB_ID" | split "/") 0)) -}}
 BACKUP_PASSPHRASE={{ .backup_passphrase }}
 RCLONE_FTP_HOST={{ .nas_ftp_host }}
@ -169,22 +174,35 @@ delay = yes
 [mysql_client]
 client = yes
 accept = 127.0.0.1:3306
-{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-tls" -}}
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-tls" }}
 connect = {{ .Address }}:{{ .Port }}
-{{- end }}
+{{ end }}
 PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
+
+[postgres_client]
+client = yes
+accept = 127.0.0.1:5432
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "postgres-tls" }}
+connect = {{ .Address }}:{{ .Port }}
+{{ end }}
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/postgres_stunnel_psk.txt
        EOF
        destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
      }

-      # TODO: Get psk for backup jobs despite multiple job declarations
-      # Probably should use variable ACLs to grant each node job to this path
      template {
        data = <<EOF
-{{- with nomadVar (print "nomad/jobs/" (index (env "NOMAD_JOB_ID" | split "/") 0)) }}{{ .mysql_stunnel_psk }}{{ end -}}
+{{- with nomadVar "secrets/mysql/allowed_psks/backups" }}{{ .psk }}{{ end -}}
 EOF
        destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
      }
+
+      template {
+        data = <<EOF
+{{- with nomadVar "secrets/postgres/allowed_psks/backups" }}{{ .psk }}{{ end -}}
+EOF
+        destination = "$${NOMAD_SECRETS_DIR}/postgres_stunnel_psk.txt"
+      }
    }
  }
 }
--- a/backups/backups.tf
+++ b/backups/backups.tf
@ -28,3 +28,115 @@ resource "nomad_job" "backup-oneoff" {
    use_wesher  = var.use_wesher
  })
 }
+
+locals {
+  all_job_ids = toset(flatten([[for job in resource.nomad_job.backup-oneoff : job.id], [resource.nomad_job.backup.id]]))
+}
+
+resource "nomad_acl_policy" "secrets_mysql" {
+  for_each = local.all_job_ids
+
+  name        = "${each.key}-secrets-mysql"
+  description = "Give access to MySQL secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/mysql" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = each.key
+  }
+}
+
+resource "random_password" "mysql_psk" {
+  length           = 32
+  override_special = "!@#%&*-_="
+}
+
+resource "nomad_variable" "mysql_psk" {
+  path = "secrets/mysql/allowed_psks/backups"
+  items = {
+    psk = "backups:${resource.random_password.mysql_psk.result}"
+  }
+}
+
+resource "nomad_acl_policy" "mysql_psk" {
+  for_each = local.all_job_ids
+
+  name        = "${each.key}-secrets-mysql-psk"
+  description = "Give access to MySQL PSK secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/mysql/allowed_psks/backups" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = each.key
+    group  = "backup"
+    task   = "stunnel"
+  }
+}
+
+resource "nomad_acl_policy" "secrets_postgres" {
+  for_each = local.all_job_ids
+
+  name        = "${each.key}-secrets-postgres"
+  description = "Give access to Postgres secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/postgres" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = each.key
+  }
+}
+
+resource "random_password" "postgres_psk" {
+  length           = 32
+  override_special = "!@#%&*-_="
+}
+
+resource "nomad_variable" "postgres_psk" {
+  path = "secrets/postgres/allowed_psks/backups"
+  items = {
+    psk = "backups:${resource.random_password.postgres_psk.result}"
+  }
+}
+
+resource "nomad_acl_policy" "postgres_psk" {
+  for_each = local.all_job_ids
+
+  name        = "${each.key}-secrets-postgres-psk"
+  description = "Give access to Postgres PSK secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/postgres/allowed_psks/backups" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = each.key
+    group  = "backup"
+    task   = "stunnel"
+  }
+}
--- a/core/.terraform.lock.hcl
+++ b/core/.terraform.lock.hcl
@ -2,20 +2,39 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/hashicorp/nomad" {
-  version = "1.4.20"
+  version = "2.0.0"
  hashes = [
-    "h1:M/QVXHPfeySejJZI3I8mBYrL/J9VsbnyF/dKIMlUhXo=",
-    "zh:02989edcebe724fc0aa873b22176fd20074c4f46295e728010711a8fc5dfa72c",
-    "zh:089ba7d19bcf5c6bab3f8b8c5920eb6d78c52cf79bb0c5dfeb411c600e7efcba",
-    "zh:235865a2182ca372bcbf440201a8b8cc0715ad5dbc4de893d99b6f32b5be53ab",
-    "zh:67ea718764f3f344ecc6e027d20c1327b86353c8064aa90da3ec12cec4a88954",
+    "h1:lIHIxA6ZmfyTGL3J9YIddhxlfit4ipSS09BLxkwo6L0=",
+    "zh:09b897d64db293f9a904a4a0849b11ec1e3fff5c638f734d82ae36d8dc044b72",
+    "zh:435cc106799290f64078ec24b6c59cb32b33784d609088638ed32c6d12121199",
+    "zh:7073444bd064e8c4ec115ca7d9d7f030cc56795c0a83c27f6668bba519e6849a",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:8c68c540f0df4980568bdd688c2adec86eda62eb2de154e3db215b16de0a7ae0",
-    "zh:911969c63a69a733be57b96d54c5966c9424e1abec8d5f20038c8cef3a504c65",
-    "zh:a673c92ddc9d47e8d53dcb9b376f1adcb4543488202fc83a3e7eab8677530684",
-    "zh:a94a73eae89fd8c8ebf872013079be41161d3f293f4026c92d45c4c5667dd613",
-    "zh:db6b89f8b696040c0344f00928e4cf6e0a75034421ba14cdcd8a4d23bc865dce",
-    "zh:e512c0b1239e3d66b60d22c2b4de19fea288e492cde90dff9277cc475fd9dbbf",
-    "zh:ef6eccecbdef3bb8ce629cabfb5550c1db5c3e952943dda1786ef6cb470a8c23",
+    "zh:79d238c35d650d2d83a439716182da63f3b2767e72e4cbd0b69cb13d9b1aebfc",
+    "zh:7ef5f49344278fe0bbc5447424e6aa5425ff1821d010d944a444d7fa2c751acf",
+    "zh:92179091638c8ba03feef371c4361a790190f9955caea1fa59de2055c701a251",
+    "zh:a8a34398851761368eb8e7c171f24e55efa6e9fdbb5c455f6dec34dc17f631bc",
+    "zh:b38fd5338625ebace5a4a94cea1a28b11bd91995d834e318f47587cfaf6ec599",
+    "zh:b71b273a2aca7ad5f1e07c767b25b5a888881ba9ca93b30044ccc39c2937f03c",
+    "zh:cd14357e520e0f09fb25badfb4f2ee37d7741afdc3ed47c7bcf54c1683772543",
+    "zh:e05e025f4bb95138c3c8a75c636e97cd7cfd2fc1525b0c8bd097db8c5f02df6e",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.5.1"
+  hashes = [
+    "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
  ]
 }
--- a/core/blocky/.terraform.lock.hcl
+++ b/core/blocky/.terraform.lock.hcl
@ -2,20 +2,39 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/hashicorp/nomad" {
-  version = "1.4.16"
+  version = "2.0.0"
  hashes = [
-    "h1:PQxNPNmMVOErxryTWIJwr22k95DTSODmgRylqjc2TjI=",
-    "h1:tyfjD/maKzb0RxxD9KWgLnkJu9lnYziYsQgGw85Giz8=",
-    "zh:0d4fbb7030d9caac3b123e60afa44f50c83cc2a983e1866aec7f30414abe7b0e",
-    "zh:0db080228e07c72d6d8ca8c45249d6f97cd0189fce82a77abbdcd49a52e57572",
-    "zh:0df88393271078533a217654b96f0672c60eb59570d72e6aefcb839eea87a7a0",
-    "zh:2883b335bb6044b0db6a00e602d6926c047c7f330294a73a90d089f98b24d084",
-    "zh:390158d928009a041b3a182bdd82376b50530805ae92be2b84ed7c3b0fa902a0",
-    "zh:7169b8f8df4b8e9659c49043848fd5f7f8473d0471f67815e8b04980f827f5ef",
-    "zh:9417ee1383b1edd137024882d7035be4dca51fb4f725ca00ed87729086ec1755",
-    "zh:a22910b5a29eeab5610350700b4899267c1b09b66cf21f7e4d06afc61d425800",
-    "zh:a6185c9cd7aa458cd81861058ba568b6411fbac344373a20155e20256f4a7557",
-    "zh:b6260ca9f034df1b47905b4e2a9c33b67dbf77224a694d5b10fb09ae92ffad4c",
-    "zh:d87c12a6a7768f2b6c2a59495c7dc00f9ecc52b1b868331d4c284f791e278a1e",
+    "h1:lIHIxA6ZmfyTGL3J9YIddhxlfit4ipSS09BLxkwo6L0=",
+    "zh:09b897d64db293f9a904a4a0849b11ec1e3fff5c638f734d82ae36d8dc044b72",
+    "zh:435cc106799290f64078ec24b6c59cb32b33784d609088638ed32c6d12121199",
+    "zh:7073444bd064e8c4ec115ca7d9d7f030cc56795c0a83c27f6668bba519e6849a",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:79d238c35d650d2d83a439716182da63f3b2767e72e4cbd0b69cb13d9b1aebfc",
+    "zh:7ef5f49344278fe0bbc5447424e6aa5425ff1821d010d944a444d7fa2c751acf",
+    "zh:92179091638c8ba03feef371c4361a790190f9955caea1fa59de2055c701a251",
+    "zh:a8a34398851761368eb8e7c171f24e55efa6e9fdbb5c455f6dec34dc17f631bc",
+    "zh:b38fd5338625ebace5a4a94cea1a28b11bd91995d834e318f47587cfaf6ec599",
+    "zh:b71b273a2aca7ad5f1e07c767b25b5a888881ba9ca93b30044ccc39c2937f03c",
+    "zh:cd14357e520e0f09fb25badfb4f2ee37d7741afdc3ed47c7bcf54c1683772543",
+    "zh:e05e025f4bb95138c3c8a75c636e97cd7cfd2fc1525b0c8bd097db8c5f02df6e",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.5.1"
+  hashes = [
+    "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
  ]
 }
--- a/core/blocky/blocky.nomad
+++ b/core/blocky/blocky.nomad
@ -162,7 +162,7 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt

      template {
        data = <<EOF
-{{- with nomadVar "nomad/jobs/blocky/blocky/stunnel" }}{{ .mysql_stunnel_psk }}{{ end -}}
+{{- with nomadVar "secrets/mysql/allowed_psks/blocky" }}{{ .psk }}{{ end -}}
 EOF
        destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
      }
@ -200,7 +200,7 @@ EOF
 host=127.0.0.1
 port=3306
 user=root
-{{ with nomadVar "nomad/jobs" }}
+{{ with nomadVar "secrets/mysql" }}
 password={{ .mysql_root_password }}
 {{ end }}
        EOF
--- a/core/blocky/blocky.tf
+++ b/core/blocky/blocky.tf
@ -14,3 +14,56 @@ resource "nomad_job" "blocky" {
    use_wesher = var.use_wesher,
  })
 }
+
+# Generate secrets and policies for access to MySQL
+resource "nomad_acl_policy" "blocky_mysql_bootstrap_secrets" {
+  name        = "blocky-secrets-mysql"
+  description = "Give access to MySQL secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/mysql" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = "blocky"
+    group  = "blocky"
+    task   = "bootstrap"
+  }
+}
+
+resource "random_password" "blocky_mysql_psk" {
+  length           = 32
+  override_special = "!@#%&*-_="
+}
+
+resource "nomad_variable" "blocky_mysql_psk" {
+  path = "secrets/mysql/allowed_psks/blocky"
+  items = {
+    psk = "blocky:${resource.random_password.blocky_mysql_psk.result}"
+  }
+}
+
+resource "nomad_acl_policy" "blocky_mysql_psk" {
+  name        = "blocky-secrets-mysql-psk"
+  description = "Give access to MySQL PSK secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/mysql/allowed_psks/blocky" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = "blocky"
+    group  = "blocky"
+    task   = "stunnel"
+  }
+}
--- a/core/grafana.nomad
+++ b/core/grafana.nomad
@ -76,17 +76,15 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
        destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
      }

-      # TODO: Get psk for backup jobs despite multiple job declarations
-      # Probably should use variable ACLs to grant each node job to this path
      template {
        data = <<EOF
-{{- with nomadVar "nomad/jobs/grafana/grafana/stunnel" }}{{ .mysql_stunnel_psk }}{{ end -}}
+{{- with nomadVar "secrets/mysql/allowed_psks/grafana" }}{{ .psk }}{{ end -}}
 EOF
        destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
      }
    }

-    task "grafana-bootstrap" {
+    task "mysql-bootstrap" {
      driver = "docker"

      lifecycle {
@ -111,7 +109,7 @@ EOF
 host=127.0.0.1
 port=3306
 user=root
-{{ with nomadVar "nomad/jobs" -}}
+{{ with nomadVar "secrets/mysql" -}}
 password={{ .mysql_root_password }}
 {{ end -}}
        EOF
--- a/core/metrics.tf
+++ b/core/metrics.tf
@ -30,3 +30,56 @@ resource "nomad_job" "grafana" {

  depends_on = [nomad_job.prometheus]
 }
+
+# Generate secrets and policies for access to MySQL
+resource "nomad_acl_policy" "grafana_mysql_bootstrap_secrets" {
+  name        = "grafana-secrets-mysql"
+  description = "Give access to MySQL secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/mysql" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = "grafana"
+    group  = "grafana"
+    task   = "mysql-bootstrap"
+  }
+}
+
+resource "random_password" "grafana_mysql_psk" {
+  length           = 32
+  override_special = "!@#%&*-_="
+}
+
+resource "nomad_variable" "grafana_mysql_psk" {
+  path = "secrets/mysql/allowed_psks/grafana"
+  items = {
+    psk = "grafana:${resource.random_password.grafana_mysql_psk.result}"
+  }
+}
+
+resource "nomad_acl_policy" "grafana_mysql_psk" {
+  name        = "grafana-secrets-mysql-psk"
+  description = "Give access to MySQL PSK secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/mysql/allowed_psks/grafana" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = "grafana"
+    group  = "grafana"
+    task   = "stunnel"
+  }
+}
--- a/databases/.terraform.lock.hcl
+++ b/databases/.terraform.lock.hcl
@ -1,40 +1,40 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.

-provider "registry.terraform.io/hashicorp/consul" {
-  version = "2.15.1"
+provider "registry.terraform.io/hashicorp/nomad" {
+  version = "2.0.0"
  hashes = [
-    "h1:PexyQBRLDA+SR+sWlzYBZswry5O5h/tTfj87CaECtLc=",
-    "zh:1806830a3cf103e65e772a7d28fd4df2788c29a029fb2def1326bc777ad107ed",
-    "zh:252be544fb4c9daf09cad7d3776daf5fa66b62740d3ea9d6d499a7b1697c3433",
-    "zh:50985fe02a8e5ae47c75d7c28c911b25d7dc4716cff2ed55ca05889ab77a1f73",
-    "zh:54cf0ec90538703c66937c77e8d72a38d5af47437eb0b8b55eb5836c5d288878",
-    "zh:704f536c621337e06fffef6d5f49ac81f52d249f937250527c12884cb83aefed",
-    "zh:896d8ef6d0b555299f124eb25bce8a17d735da14ef21f07582098d301f47da30",
-    "zh:976277a85b0a0baafe267cc494f766448d1da5b6936ddcb3ce393bd4d22f08d2",
-    "zh:c7faa9a2b11bc45833a3e8e340f22f1ecf01597eaeffa7669234b4549d7dfa85",
-    "zh:caf851ef9c8ce482864badf7058f9278d4537112fa236efd8f1a9315801d9061",
-    "zh:db203435d58b0ac842540861b3307a623423275d85754c171773f3b210ae5b24",
-    "zh:f3d3efac504c9484a025beb919d22b290aa6dbff256f6e86c1f8ce7817e077e5",
-    "zh:f710a37190429045d109edd35de69db3b5f619919c2fa04c77a3a639fea9fd7d",
+    "h1:lIHIxA6ZmfyTGL3J9YIddhxlfit4ipSS09BLxkwo6L0=",
+    "zh:09b897d64db293f9a904a4a0849b11ec1e3fff5c638f734d82ae36d8dc044b72",
+    "zh:435cc106799290f64078ec24b6c59cb32b33784d609088638ed32c6d12121199",
+    "zh:7073444bd064e8c4ec115ca7d9d7f030cc56795c0a83c27f6668bba519e6849a",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:79d238c35d650d2d83a439716182da63f3b2767e72e4cbd0b69cb13d9b1aebfc",
+    "zh:7ef5f49344278fe0bbc5447424e6aa5425ff1821d010d944a444d7fa2c751acf",
+    "zh:92179091638c8ba03feef371c4361a790190f9955caea1fa59de2055c701a251",
+    "zh:a8a34398851761368eb8e7c171f24e55efa6e9fdbb5c455f6dec34dc17f631bc",
+    "zh:b38fd5338625ebace5a4a94cea1a28b11bd91995d834e318f47587cfaf6ec599",
+    "zh:b71b273a2aca7ad5f1e07c767b25b5a888881ba9ca93b30044ccc39c2937f03c",
+    "zh:cd14357e520e0f09fb25badfb4f2ee37d7741afdc3ed47c7bcf54c1683772543",
+    "zh:e05e025f4bb95138c3c8a75c636e97cd7cfd2fc1525b0c8bd097db8c5f02df6e",
  ]
 }

-provider "registry.terraform.io/hashicorp/nomad" {
-  version = "1.4.17"
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.5.1"
  hashes = [
-    "h1:iPylWr144mqXvM8NBVMTm+MS6JRhqIihlpJG91GYDyA=",
-    "zh:146f97eacd9a0c78b357a6cfd2cb12765d4b18e9660a75500ee3e748c6eba41a",
-    "zh:2eb89a6e5cee9aea03a96ea9f141096fe3baf219b2700ce30229d2d882f5015f",
-    "zh:3d0f971f79b615c1014c75e2f99f34bd4b4da542ca9f31d5ea7fadc4e9de39c1",
-    "zh:46099a750c752ce05aa14d663a86478a5ad66d95aff3d69367f1d3628aac7792",
-    "zh:71e56006b013dcfe1e4e059b2b07148b44fcd79351ae2c357e0d97e27ae0d916",
-    "zh:74febd25d776688f0558178c2f5a0e6818bbf4cdaa2e160d7049da04103940f0",
+    "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:af18c064a5f0dd5422d6771939274841f635b619ab392c73d5bf9720945fdb85",
-    "zh:c133d7a862079da9f06e301c530eacbd70e9288fa2276ec0704df907270ee328",
-    "zh:c894cf98d239b9f5a4b7cde9f5c836face0b5b93099048ee817b0380ea439c65",
-    "zh:c918642870f0cafdbe4d7dd07c909701fc3ddb47cac8357bdcde1327bf78c11d",
-    "zh:f8f5655099a57b4b9c0018a2d49133771e24c7ff8262efb1ceb140fd224aa9b6",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
  ]
 }
--- a/databases/lldap.nomad
+++ b/databases/lldap.nomad
@ -126,8 +126,7 @@ password = "{{ .smtp_password }}"
 host=127.0.0.1
 port=3306
 user=root
-# TODO: Use via lesser scoped access
-{{ with nomadVar "nomad/jobs/lldap/lldap/bootstrap" -}}
+{{ with nomadVar "secrets/mysql" -}}
 password={{ .mysql_root_password }}
 {{ end -}}
        EOF
@ -212,16 +211,16 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt

      template {
        data = <<EOF
-{{ with nomadVar "nomad/jobs/lldap/lldap/stunnel" -}}
-{{ .allowed_psks }}
-{{- end }}
+{{ range nomadVarList "secrets/ldap/allowed_psks" -}}
+{{ with nomadVar .Path }}{{ .psk }}{{ end }}
+{{ end -}}
 EOF
        destination = "$${NOMAD_TASK_DIR}/stunnel_psk.txt"
      }

      template {
        data = <<EOF
-{{- with nomadVar "nomad/jobs/lldap/lldap/stunnel" }}{{ .mysql_stunnel_psk }}{{ end -}}
+{{- with nomadVar "secrets/mysql/allowed_psks/lldap" }}{{ .psk }}{{ end -}}
 EOF
        destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
      }
--- a/databases/lldap.tf
+++ b/databases/lldap.tf
@ -0,0 +1,82 @@
+resource "nomad_job" "lldap" {
+  jobspec = templatefile("${path.module}/lldap.nomad", {
+    use_wesher = var.use_wesher,
+  })
+
+  depends_on = [resource.nomad_job.mysql-server]
+
+  # Block until deployed as there are servics dependent on this one
+  detach = false
+}
+
+# Generate secrets and policies for access to MySQL
+resource "nomad_acl_policy" "lldap_mysql_bootstrap_secrets" {
+  name        = "lldap-secrets-mysql"
+  description = "Give access to MySQL secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/mysql" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = "lldap"
+    group  = "lldap"
+    task   = "bootstrap"
+  }
+}
+
+resource "random_password" "lldap_mysql_psk" {
+  length           = 32
+  override_special = "!@#%&*-_="
+}
+
+resource "nomad_variable" "lldap_mysql_psk" {
+  path = "secrets/mysql/allowed_psks/lldap"
+  items = {
+    psk = "lldap:${resource.random_password.lldap_mysql_psk.result}"
+  }
+}
+
+resource "nomad_acl_policy" "lldap_mysql_psk" {
+  name        = "lldap-secrets-mysql-psk"
+  description = "Give access to MySQL PSK secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/mysql/allowed_psks/lldap" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = "lldap"
+    group  = "lldap"
+    task   = "stunnel"
+  }
+}
+
+# Give access to all ldap secrets
+resource "nomad_acl_policy" "secrets_ldap" {
+  name        = "secrets-ldap"
+  description = "Give access to Postgres secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/ldap/*" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = resource.nomad_job.lldap.id
+  }
+}
--- a/databases/main.tf
+++ b/databases/main.tf
@ -9,6 +9,24 @@ resource "nomad_job" "mysql-server" {
  detach = false
 }

+resource "nomad_acl_policy" "secrets_mysql" {
+  name        = "secrets-mysql"
+  description = "Give access to MySQL secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/mysql/*" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = resource.nomad_job.mysql-server.id
+  }
+}
+
 resource "nomad_job" "postgres-server" {
  hcl2 {
    enabled = true
@ -20,6 +38,24 @@ resource "nomad_job" "postgres-server" {
  detach = false
 }

+resource "nomad_acl_policy" "secrets_postgres" {
+  name        = "secrets-postgres"
+  description = "Give access to Postgres secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/postgres/*" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = resource.nomad_job.postgres-server.id
+  }
+}
+
 resource "nomad_job" "redis" {
  for_each = toset(["blocky", "authelia"])

@ -36,14 +72,3 @@ resource "nomad_job" "redis" {
  # Block until deployed as there are servics dependent on this one
  detach = false
 }
-
-resource "nomad_job" "lldap" {
-  jobspec = templatefile("${path.module}/lldap.nomad", {
-    use_wesher = var.use_wesher,
-  })
-
-  depends_on = [resource.nomad_job.mysql-server]
-
-  # Block until deployed as there are servics dependent on this one
-  detach = false
-}
--- a/databases/mysql.nomad
+++ b/databases/mysql.nomad
@ -117,9 +117,9 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt

      template {
        data = <<EOF
-{{ with nomadVar "nomad/jobs/mysql-server" -}}
-{{ .allowed_psks }}
-{{- end }}
+{{ range nomadVarList "secrets/mysql/allowed_psks" -}}
+{{ with nomadVar .Path }}{{ .psk }}{{ end }}
+{{ end -}}
 EOF
        destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
      }
--- a/databases/postgres.nomad
+++ b/databases/postgres.nomad
@ -117,9 +117,9 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt

      template {
        data = <<EOF
-{{ with nomadVar "nomad/jobs/postgres-server/postgres-server/stunnel" -}}
-{{ .allowed_psks }}
-{{- end }}
+{{ range nomadVarList "secrets/postgres/allowed_psks" -}}
+{{ with nomadVar .Path }}{{ .psk }}{{ end }}
+{{ end -}}
 EOF
        destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
      }
--- a/services/.terraform.lock.hcl
+++ b/services/.terraform.lock.hcl
@ -2,20 +2,39 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/hashicorp/nomad" {
-  version = "1.4.19"
+  version = "2.0.0"
  hashes = [
-    "h1:EdBny2gaLr/IE+l+6csyCKeIGFMYZ/4tHKpcbS7ArgE=",
-    "zh:2f3ceeb3318a6304026035b0ac9ee3e52df04913bb9ee78827e58c5398b41254",
-    "zh:3fbe76c7d957d20dfe3c8c0528b33084651f22a95be9e0452b658e0922916e2a",
-    "zh:595671a05828cfe6c42ef73aac894ac39f81a52cc662a76f37eb74ebe04ddf75",
-    "zh:5d76e8788d2af3e60daf8076babf763ec887480bbb9734baccccd8fcddf4f03e",
-    "zh:676985afeaca6e67b22d60d43fd0ed7055763029ffebc3026089fe2fd3b4a288",
-    "zh:69152ce6164ac999a640cff962ece45208270e1ac37c10dac484eeea5cf47275",
-    "zh:6da0b15c05b81f947ec8e139bd81eeeb05c0d36eb5a967b985d0625c60998b40",
+    "h1:lIHIxA6ZmfyTGL3J9YIddhxlfit4ipSS09BLxkwo6L0=",
+    "zh:09b897d64db293f9a904a4a0849b11ec1e3fff5c638f734d82ae36d8dc044b72",
+    "zh:435cc106799290f64078ec24b6c59cb32b33784d609088638ed32c6d12121199",
+    "zh:7073444bd064e8c4ec115ca7d9d7f030cc56795c0a83c27f6668bba519e6849a",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:822c0a3bbada5e38099a379db8b2e339526843699627c3be3664cc3b3752bab7",
-    "zh:af23af2f98a84695b25c8eba7028a81ad4aad63c44aefb79e01bbe2dc82e7f78",
-    "zh:e36cac9960b7506d92925b667254322520966b9c3feb3ca6102e57a1fb9b1761",
-    "zh:ffd1e096c1cc35de879c740a91918e9f06b627818a3cb4b1d87b829b54a6985f",
+    "zh:79d238c35d650d2d83a439716182da63f3b2767e72e4cbd0b69cb13d9b1aebfc",
+    "zh:7ef5f49344278fe0bbc5447424e6aa5425ff1821d010d944a444d7fa2c751acf",
+    "zh:92179091638c8ba03feef371c4361a790190f9955caea1fa59de2055c701a251",
+    "zh:a8a34398851761368eb8e7c171f24e55efa6e9fdbb5c455f6dec34dc17f631bc",
+    "zh:b38fd5338625ebace5a4a94cea1a28b11bd91995d834e318f47587cfaf6ec599",
+    "zh:b71b273a2aca7ad5f1e07c767b25b5a888881ba9ca93b30044ccc39c2937f03c",
+    "zh:cd14357e520e0f09fb25badfb4f2ee37d7741afdc3ed47c7bcf54c1683772543",
+    "zh:e05e025f4bb95138c3c8a75c636e97cd7cfd2fc1525b0c8bd097db8c5f02df6e",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.5.1"
+  hashes = [
+    "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
  ]
 }
--- a/services/service/.terraform.lock.hcl
+++ b/services/service/.terraform.lock.hcl
@ -2,20 +2,39 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/hashicorp/nomad" {
-  version = "1.4.19"
+  version = "2.0.0"
  hashes = [
-    "h1:EdBny2gaLr/IE+l+6csyCKeIGFMYZ/4tHKpcbS7ArgE=",
-    "zh:2f3ceeb3318a6304026035b0ac9ee3e52df04913bb9ee78827e58c5398b41254",
-    "zh:3fbe76c7d957d20dfe3c8c0528b33084651f22a95be9e0452b658e0922916e2a",
-    "zh:595671a05828cfe6c42ef73aac894ac39f81a52cc662a76f37eb74ebe04ddf75",
-    "zh:5d76e8788d2af3e60daf8076babf763ec887480bbb9734baccccd8fcddf4f03e",
-    "zh:676985afeaca6e67b22d60d43fd0ed7055763029ffebc3026089fe2fd3b4a288",
-    "zh:69152ce6164ac999a640cff962ece45208270e1ac37c10dac484eeea5cf47275",
-    "zh:6da0b15c05b81f947ec8e139bd81eeeb05c0d36eb5a967b985d0625c60998b40",
+    "h1:lIHIxA6ZmfyTGL3J9YIddhxlfit4ipSS09BLxkwo6L0=",
+    "zh:09b897d64db293f9a904a4a0849b11ec1e3fff5c638f734d82ae36d8dc044b72",
+    "zh:435cc106799290f64078ec24b6c59cb32b33784d609088638ed32c6d12121199",
+    "zh:7073444bd064e8c4ec115ca7d9d7f030cc56795c0a83c27f6668bba519e6849a",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:822c0a3bbada5e38099a379db8b2e339526843699627c3be3664cc3b3752bab7",
-    "zh:af23af2f98a84695b25c8eba7028a81ad4aad63c44aefb79e01bbe2dc82e7f78",
-    "zh:e36cac9960b7506d92925b667254322520966b9c3feb3ca6102e57a1fb9b1761",
-    "zh:ffd1e096c1cc35de879c740a91918e9f06b627818a3cb4b1d87b829b54a6985f",
+    "zh:79d238c35d650d2d83a439716182da63f3b2767e72e4cbd0b69cb13d9b1aebfc",
+    "zh:7ef5f49344278fe0bbc5447424e6aa5425ff1821d010d944a444d7fa2c751acf",
+    "zh:92179091638c8ba03feef371c4361a790190f9955caea1fa59de2055c701a251",
+    "zh:a8a34398851761368eb8e7c171f24e55efa6e9fdbb5c455f6dec34dc17f631bc",
+    "zh:b38fd5338625ebace5a4a94cea1a28b11bd91995d834e318f47587cfaf6ec599",
+    "zh:b71b273a2aca7ad5f1e07c767b25b5a888881ba9ca93b30044ccc39c2937f03c",
+    "zh:cd14357e520e0f09fb25badfb4f2ee37d7741afdc3ed47c7bcf54c1683772543",
+    "zh:e05e025f4bb95138c3c8a75c636e97cd7cfd2fc1525b0c8bd097db8c5f02df6e",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.5.1"
+  hashes = [
+    "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
  ]
 }
--- a/services/service/main.tf
+++ b/services/service/main.tf
@ -32,11 +32,169 @@ resource "nomad_job" "service" {
    host_volumes = var.host_volumes

    use_mysql    = var.use_mysql || var.mysql_bootstrap != null
+    use_postgres = var.use_postgres || var.postgres_bootstrap != null
    use_redis    = var.use_redis
    use_ldap     = var.use_ldap
-    use_postgres = var.use_postgres || var.postgres_bootstrap != null

    mysql_bootstrap    = var.mysql_bootstrap
    postgres_bootstrap = var.postgres_bootstrap
  })
 }
+
+resource "nomad_acl_policy" "secrets_mysql" {
+  count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
+
+  name        = "${var.name}-secrets-mysql"
+  description = "Give access to MySQL secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/mysql" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = var.name
+    group  = var.name
+    task   = "mysql-bootstrap"
+  }
+}
+
+resource "random_password" "mysql_psk" {
+  count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
+
+  length           = 32
+  override_special = "!@#%&*-_="
+}
+
+resource "nomad_variable" "mysql_psk" {
+  count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
+
+  path = "secrets/mysql/allowed_psks/${var.name}"
+  items = {
+    psk = "${var.name}:${resource.random_password.mysql_psk[0].result}"
+  }
+}
+
+resource "nomad_acl_policy" "mysql_psk" {
+  count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
+
+  name        = "${var.name}-secrets-mysql-psk"
+  description = "Give access to MySQL PSK secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/mysql/allowed_psks/${var.name}" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = var.name
+    group  = var.name
+    task   = "stunnel"
+  }
+}
+
+resource "nomad_acl_policy" "secrets_postgres" {
+  count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
+
+  name        = "${var.name}-secrets-postgres"
+  description = "Give access to Postgres secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/postgres" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = var.name
+    group  = var.name
+    task   = "postgres-bootstrap"
+  }
+}
+
+resource "random_password" "postgres_psk" {
+  count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
+
+  length           = 32
+  override_special = "!@#%&*-_="
+}
+
+resource "nomad_variable" "postgres_psk" {
+  count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
+
+  path = "secrets/postgres/allowed_psks/${var.name}"
+  items = {
+    psk = "${var.name}:${resource.random_password.postgres_psk[0].result}"
+  }
+}
+
+resource "nomad_acl_policy" "postgres_psk" {
+  count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
+
+  name        = "${var.name}-secrets-postgres-psk"
+  description = "Give access to Postgres PSK secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/postgres/allowed_psks/${var.name}" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = var.name
+    group  = var.name
+    task   = "stunnel"
+  }
+}
+
+resource "random_password" "ldap_psk" {
+  count = var.use_ldap ? 1 : 0
+
+  length           = 32
+  override_special = "!@#%&*-_="
+}
+
+resource "nomad_variable" "ldap_psk" {
+  count = var.use_ldap ? 1 : 0
+
+  path = "secrets/ldap/allowed_psks/${var.name}"
+  items = {
+    psk = "${var.name}:${resource.random_password.ldap_psk[0].result}"
+  }
+}
+
+resource "nomad_acl_policy" "ldap_psk" {
+  count = var.use_ldap ? 1 : 0
+
+  name        = "${var.name}-secrets-ldap-psk"
+  description = "Give access to ldap PSK secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/ldap/allowed_psks/${var.name}" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = var.name
+    group  = var.name
+    task   = "stunnel"
+  }
+}
--- a/services/service/service_template.nomad
+++ b/services/service/service_template.nomad
@ -217,7 +217,7 @@ host=127.0.0.1
 port=3306
 user=root
 # TODO: Use via lesser scoped access
-{{ with nomadVar "nomad/jobs" -}}
+{{ with nomadVar "secrets/mysql" -}}
 password={{ .mysql_root_password }}
 {{ end -}}
        EOF
@ -292,7 +292,7 @@ EOF
        data = <<EOF
 PGHOSTADDR=127.0.0.1
 PGPORT=5432
-{{ with nomadVar "nomad/jobs/${name}/${name}/postgres-bootstrap" }}
+{{ with nomadVar "secrets/postgres" }}
 PGUSER={{ .superuser }}
 # TODO: Passfile?
 PGPASSWORD={{ .superuser_pass }}
@ -407,7 +407,7 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/postgres_stunnel_psk.txt
      %{~ if use_mysql }
      template {
        data = <<EOF
-{{- with nomadVar "nomad/jobs/${name}/${name}/stunnel" }}{{ .mysql_stunnel_psk }}{{ end -}}
+{{- with nomadVar "secrets/mysql/allowed_psks/${name}" }}{{ .psk }}{{ end -}}
 EOF
        destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
      }
@ -423,7 +423,7 @@ EOF
      %{~ if use_ldap }
      template {
        data = <<EOF
-{{- with nomadVar "nomad/jobs/${name}/${name}/stunnel" }}{{ .ldap_stunnel_psk }}{{ end -}}
+{{- with nomadVar "secrets/ldap/allowed_psks/${name}" }}{{ .psk }}{{ end -}}
 EOF
        destination = "$${NOMAD_SECRETS_DIR}/ldap_stunnel_psk.txt"
      }
@ -431,7 +431,7 @@ EOF
      %{~ if use_postgres }
      template {
        data = <<EOF
-{{- with nomadVar "nomad/jobs/${name}/${name}/stunnel" }}{{ .postgres_stunnel_psk }}{{ end -}}
+{{- with nomadVar "secrets/postgres/allowed_psks/${name}" }}{{ .psk }}{{ end -}}
 EOF
        destination = "$${NOMAD_SECRETS_DIR}/postgres_stunnel_psk.txt"
      }