Adapt to new vault templates

example/bookstack.nomad.hcl

@@ -61,11 +61,10 @@ job "bookstack" {
       tags = [
 
         "traefik.enable=true",
-        "traefik.http.routers.bookstack.rule=Host(`bookstack.example.org`)",
         "traefik.http.routers.bookstack.entrypoints=https",
-        "traefik.http.middlewares.bookstack-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
-        "traefik.http.middlewares.bookstack-proxy.headers.customrequestheaders.X-Forwarded-Proto=https",
-        "traefik.http.routers.bookstack.middlewares=security-headers@file,rate-limit-std@file,bookstack-proxy,inflight-std@file,hsts@file,compression@file,bookstack-csp",
+        "traefik.http.routers.bookstack.rule=Host(`bookstack.example.org`)",
+        "traefik.http.middlewares.csp-bookstack.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
+        "traefik.http.routers.bookstack.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-bookstack",
 
       ]
     }
@@ -131,7 +130,7 @@ _EOT
       # So, publish BookStack settings here
       template {
         data        = <<_EOT
-APP_KEY={{ with secret "kv/service/bookstack" }}{{ .Data.data.app_key }}{{ end }}
+APP_KEY={{ with secret "/kv/service/bookstack" }}{{ .Data.data.app_key }}{{ end }}
 APP_LANG=fr
 APP_PROXIES=127.0.0.1
 APP_URL=https://bookstack.example.org
@@ -139,9 +138,9 @@ CACHE_DRIVER=database
 CACHE_PREFIX=bookstack
 DB_DATABASE=bookstack
 DB_HOST=127.0.0.1
-DB_PASSWORD={{ with secret "database/creds/bookstack" }}{{ .Data.password }}{{ end }}
+DB_PASSWORD={{ with secret "/database/creds/bookstack" }}{{ .Data.password }}{{ end }}
 DB_PORT=3306
-DB_USERNAME={{ with secret "database/creds/bookstack" }}{{ .Data.username }}{{ end }}
+DB_USERNAME={{ with secret "/database/creds/bookstack" }}{{ .Data.username }}{{ end }}
 DISABLE_EXTERNAL_SERVICES=true
 MAIL_DRIVER=smtp
 MAIL_FROM=no-reply@bookstack.example.org

example/init/vault-database

@@ -2,7 +2,8 @@
 
 set -euo pipefail
 
-vault write database/roles/bookstack \
+
+vault write /database/roles/bookstack \
     db_name="mariadb" \
     creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \
         GRANT ALL PRIVILEGES ON bookstack.* TO '{{name}}'@'%'; \

example/prep.d/20-rand-pwd.sh

@@ -2,17 +2,21 @@
 
 set -euo pipefail
 
-VAULT_KV_PATH=kv/service/bookstack
+# vim: syntax=sh
+
+export LC_ALL=C
+VAULT_KV_PATH=/kv/service/bookstack
 RAND_CMD="echo base64:$(openssl rand -base64 32)"
 if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
   vault kv put ${VAULT_KV_PATH} \
-    app_key=$(${RAND_CMD}) \
+    app_key="$(sh -c "${RAND_CMD}")" \
 
 fi
 for SECRET in app_key; do
   if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
     vault kv patch ${VAULT_KV_PATH} \
-      ${SECRET}=$(${RAND_CMD})
+      ${SECRET}=$(sh -c "${RAND_CMD}")
   fi
 done
 
+

example/vault/policies/bookstack.hcl

@@ -1,7 +1,7 @@
-path "database/creds/bookstack" {
+path "/database/creds/bookstack" {
   capabilities = ["read"]
 }
 
-path "kv/data/service/bookstack" {
+path "/kv/data/service/bookstack" {
   capabilities = ["read"]
 }

init/vault-database

@@ -2,7 +2,4 @@
 
 set -euo pipefail
 
-[[- template "common/vault.mkmysqlrole.sh"
-  dict "ctx" .
-       "config" (dict "role" .instance "database" "mariadb")
-]]
+[[ template "common/vault.mkmysqlrole.sh" merge .bookstack . ]]

prep.d/20-rand-pwd.sh

@@ -2,4 +2,4 @@
 
 set -euo pipefail
 
-[[ template "common/vault.rand_secrets" dict "ctx" . "keys" (coll.Slice "app_key") "cmd" "echo base64:$(openssl rand -base64 32)" ]]
+[[ template "common/vault.rand_secrets" merge .bookstack . ]]

variables.yml

@@ -29,6 +29,12 @@ bookstack:
     policies:
       - '[[ .instance ]][[ .consul.suffix ]]'
 
+    # Random secrets to generate
+    rand_secrets:
+      cmd: echo base64:$(openssl rand -base64 32)
+      fields:
+        - app_key
+
   # Wait for MariaDB to be ready before starting
   wait_for:
     service: mariadb[[ .consul.suffix ]]
@@ -44,7 +50,7 @@ bookstack:
 
   # Bookstack settings (which will populate .env)
   settings:
-    APP_KEY: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.app_key }}{{ end }}'
+    APP_KEY: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.app_key }}{{ end }}'
     APP_URL: '[[ .bookstack.public_url ]]'
     APP_LANG: fr
     APP_PROXIES: 127.0.0.1
@@ -73,8 +79,8 @@ bookstack:
     host: 127.0.0.1
     port: 3306
     database: '[[ .instance ]]'
-    user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
-    password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
+    user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
+    password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
 
   # Public URL on which bookstack will be available
   public_url: https://bookstack.example.org

vault/policies/bookstack.hcl

@@ -1,7 +1,7 @@
-path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
+path "[[ .vault.root ]]database/creds/[[ .instance ]]" {
   capabilities = ["read"]
 }
 
-path "[[ .vault.prefix ]]kv/data/service/bookstack" {
+path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
   capabilities = ["read"]
 }