Use vault for backups jobs

2022-07-21 19:03:40 -07:00 · 2022-07-21 19:03:40 -07:00 · 60dd856666
commit 60dd856666
parent 24d66bdef3
3 changed files with 35 additions and 24 deletions
--- a/.secrets-baseline
+++ b/.secrets-baseline
@ -115,16 +115,6 @@
    }
  ],
  "results": {
-    "nomad/backups/backup.nomad": [
-      {
-        "type": "Secret Keyword",
-        "filename": "nomad/backups/backup.nomad",
-        "hashed_secret": "f2baa52d02ca888455ce47823f47bf372d5eecb3",
-        "is_verified": false,
-        "line_number": 94,
-        "is_secret": false
-      }
-    ],
    "nomad/backups/oneoff.nomad": [
      {
        "type": "Secret Keyword",
@ -555,9 +545,9 @@
      {
        "type": "Secret Keyword",
        "filename": "nomad/vault_hashi_vault_values.yml",
-        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "hashed_secret": "f2baa52d02ca888455ce47823f47bf372d5eecb3",
        "is_verified": false,
-        "line_number": 6,
+        "line_number": 8,
        "is_secret": false
      },
      {
@ -565,10 +555,10 @@
        "filename": "nomad/vault_hashi_vault_values.yml",
        "hashed_secret": "18960546905b75c869e7de63961dc185f9a0a7c9",
        "is_verified": false,
-        "line_number": 9,
+        "line_number": 10,
        "is_secret": false
      }
    ]
  },
-  "generated_at": "2022-07-21T23:01:40Z"
+  "generated_at": "2022-07-22T02:03:22Z"
 }
--- a/nomad/backups/backup.nomad
+++ b/nomad/backups/backup.nomad
@ -10,6 +10,7 @@ job "backup" {
  constraint {
    attribute = "${node.unique.name}"
    # Only node with a backup job so far
+    # Remove when backing up all nodes
    value = "n2"
  }

@ -85,19 +86,36 @@ job "backup" {
        }
      }

+      vault {
+        policies = [
+          "access-tables",
+          "nomad-task",
+        ]
+      }
+
      env = {
        "MYSQL_HOST" = "${NOMAD_UPSTREAM_IP_mysql_server}"
        "MYSQL_PORT" = "${NOMAD_UPSTREAM_PORT_mysql_server}"
-        # TODO: Add user with access to all databases or variables for each user
-        "MYSQL_DATABASE" = "nextcloud"
-        "MYSQL_USER" = "nextcloud"
-        "MYSQL_PASSWORD" = "nextcloud"
-
-        # TODO: Something from vault
-        "BACKUP_PASSPHRASE" = "secretpass"
      }

      template {
+        # Probably want to use database credentials that have access to dump all tables
+        data = <<EOF
+{{ with secret "kv/data/nextcloud" }}
+MYSQL_DATABASE={{ .Data.data.db_name }}
+MYSQL_USER={{ .Data.data.db_user }}
+MYSQL_PASSWORD={{ .Data.data.db_pass }}
+{{ end }}
+{{ with secret "kv/data/backups" }}
+BACKUP_PASSPHRASE={{ .Data.data.backup_passphrase }}
+{{ end }}
+        EOF
+        destination = "secrets/db.env"
+        env = true
+      }
+
+      template {
+        # Build jobs based on node
        data = <<EOF
 # Current node is {{ env "node.unique.name" }}
 {{ range service "nextcloud" }}
--- a/nomad/vault_hashi_vault_values.yml
+++ b/nomad/vault_hashi_vault_values.yml
@ -1,10 +1,11 @@
+# Example map of vault values to bootstrap
+# These should be encrypted with Ansible Vault if actually stored here
 hashi_vault_values:
  nextcloud:
    db_name: nextcloud
+    # Eventually replace this with dynamic secrets from Hashicorp Vault
    db_user: nextcloud
-    # Currently it's nextcloud as well
-    db_pass: password
-    backup_passphrase: shhh_imma_secret
+    db_pass: nextcloud
  mysql:
    root_password: supersecretpassword
  slack:
@ -13,3 +14,5 @@ hashi_vault_values:
    hook_url: ...
  grafana:
    alert_email_addresses: email@example.com
+  backups:
+    backup_passphrase: tellnoone