More nextcloud config using Vault

2022-07-08 16:26:26 -07:00 · 2022-07-08 16:26:26 -07:00 · c58056d594
commit c58056d594
parent 02b448e363
2 changed files with 32 additions and 7 deletions
--- a/nomad/nextcloud/nextcloud-backup.hcl
+++ b/nomad/nextcloud/nextcloud-backup.hcl
@ -5,7 +5,8 @@ job "Nextcloud" {
    repo = "/local/repo"
    # Read from secret file
    # Either options.PasswordFile or using readfile()
-    passphrase = "secret phrase"
+    # passphrase = "secret phrase"
+    passwordFile("tmp/passphrase")
  }

  task "Create dir for repo" {
--- a/nomad/nextcloud/nextcloud.nomad
+++ b/nomad/nextcloud/nextcloud.nomad
@ -214,14 +214,38 @@ GRANT ALL ON `{{ .Data.data.db_name }}`.* to '{{ .Data.data.db_user }}'@'%';
          target = "/jobs"
          source = "jobs"
        }
+
+        mount {
+          type = "bind"
+          target = "/tmp/passphrase"
+          source = "secrets/passphrase"
+        }
      }

      env = {
        "MYSQL_HOST" = "${NOMAD_UPSTREAM_IP_mysql_server}"
        "MYSQL_PORT" = "${NOMAD_UPSTREAM_PORT_mysql_server}"
-        "MYSQL_DATABASE" = "${var.nextcloud_db}"
-        "MYSQL_USER" = "${var.nextcloud_user}"
-        "MYSQL_PASSWORD" = "${var.nextcloud_pass}"
+      }
+
+      vault {
+        policies = ["access-tables", "nomad-task"]
+      }
+
+      template {
+        data = "{{ with secret \"kv/data/nextcloud\" }}{{ .Data.data.backup_passphrase }}{{ end }}"
+        destination = "secrets/passphrase"
+      }
+
+      template {
+        data = <<EOF
+        {{ with secret "kv/data/nextcloud" }}
+MYSQL_DATABASE={{ .Data.data.db_name }}
+MYSQL_USER={{ .Data.data.db_user }}
+MYSQL_PASSWORD={{ .Data.data.db_pass }}
+        {{ end }}
+        EOF
+        destination = "secrets/db.env"
+        env = true
      }

      template {