Use vault for backups jobs

.secrets-baseline

@@ -115,16 +115,6 @@
     }
   ],
   "results": {
-    "nomad/backups/backup.nomad": [
-      {
-        "type": "Secret Keyword",
-        "filename": "nomad/backups/backup.nomad",
-        "hashed_secret": "f2baa52d02ca888455ce47823f47bf372d5eecb3",
-        "is_verified": false,
-        "line_number": 94,
-        "is_secret": false
-      }
-    ],
     "nomad/backups/oneoff.nomad": [
       {
         "type": "Secret Keyword",
@@ -555,9 +545,9 @@
       {
         "type": "Secret Keyword",
         "filename": "nomad/vault_hashi_vault_values.yml",
-        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "hashed_secret": "f2baa52d02ca888455ce47823f47bf372d5eecb3",
         "is_verified": false,
-        "line_number": 6,
+        "line_number": 8,
         "is_secret": false
       },
       {
@@ -565,10 +555,10 @@
         "filename": "nomad/vault_hashi_vault_values.yml",
         "hashed_secret": "18960546905b75c869e7de63961dc185f9a0a7c9",
         "is_verified": false,
-        "line_number": 9,
+        "line_number": 10,
         "is_secret": false
       }
     ]
   },
-  "generated_at": "2022-07-21T23:01:40Z"
+  "generated_at": "2022-07-22T02:03:22Z"
 }

nomad/backups/backup.nomad

@@ -10,6 +10,7 @@ job "backup" {
   constraint {
     attribute = "${node.unique.name}"
     # Only node with a backup job so far
+    # Remove when backing up all nodes
     value = "n2"
   }
 
@@ -85,19 +86,36 @@ job "backup" {
         }
       }
 
+      vault {
+        policies = [
+          "access-tables",
+          "nomad-task",
+        ]
+      }
+
       env = {
         "MYSQL_HOST" = "${NOMAD_UPSTREAM_IP_mysql_server}"
         "MYSQL_PORT" = "${NOMAD_UPSTREAM_PORT_mysql_server}"
-        # TODO: Add user with access to all databases or variables for each user
-        "MYSQL_DATABASE" = "nextcloud"
-        "MYSQL_USER" = "nextcloud"
-        "MYSQL_PASSWORD" = "nextcloud"
-
-        # TODO: Something from vault
-        "BACKUP_PASSPHRASE" = "secretpass"
       }
 
       template {
+        # Probably want to use database credentials that have access to dump all tables
+        data = <<EOF
+{{ with secret "kv/data/nextcloud" }}
+MYSQL_DATABASE={{ .Data.data.db_name }}
+MYSQL_USER={{ .Data.data.db_user }}
+MYSQL_PASSWORD={{ .Data.data.db_pass }}
+{{ end }}
+{{ with secret "kv/data/backups" }}
+BACKUP_PASSPHRASE={{ .Data.data.backup_passphrase }}
+{{ end }}
+        EOF
+        destination = "secrets/db.env"
+        env = true
+      }
+
+      template {
+        # Build jobs based on node
         data = <<EOF
 # Current node is {{ env "node.unique.name" }}
 {{ range service "nextcloud" }}

nomad/vault_hashi_vault_values.yml

@@ -1,10 +1,11 @@
+# Example map of vault values to bootstrap
+# These should be encrypted with Ansible Vault if actually stored here
 hashi_vault_values:
   nextcloud:
     db_name: nextcloud
+    # Eventually replace this with dynamic secrets from Hashicorp Vault
     db_user: nextcloud
-    # Currently it's nextcloud as well
-    db_pass: password
-    backup_passphrase: shhh_imma_secret
+    db_pass: nextcloud
   mysql:
     root_password: supersecretpassword
   slack:
@@ -13,3 +14,5 @@ hashi_vault_values:
     hook_url: ...
   grafana:
     alert_email_addresses: email@example.com
+  backups:
+    backup_passphrase: tellnoone