Adapt to new vault templates
This commit is contained in:
parent
37fcbf6c32
commit
65fa3398f6
|
@ -61,11 +61,10 @@ job "bookstack" {
|
|||
tags = [
|
||||
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.bookstack.rule=Host(`bookstack.example.org`)",
|
||||
"traefik.http.routers.bookstack.entrypoints=https",
|
||||
"traefik.http.middlewares.bookstack-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.middlewares.bookstack-proxy.headers.customrequestheaders.X-Forwarded-Proto=https",
|
||||
"traefik.http.routers.bookstack.middlewares=security-headers@file,rate-limit-std@file,bookstack-proxy,inflight-std@file,hsts@file,compression@file,bookstack-csp",
|
||||
"traefik.http.routers.bookstack.rule=Host(`bookstack.example.org`)",
|
||||
"traefik.http.middlewares.csp-bookstack.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.routers.bookstack.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-bookstack",
|
||||
|
||||
]
|
||||
}
|
||||
|
@ -131,7 +130,7 @@ _EOT
|
|||
# So, publish BookStack settings here
|
||||
template {
|
||||
data = <<_EOT
|
||||
APP_KEY={{ with secret "kv/service/bookstack" }}{{ .Data.data.app_key }}{{ end }}
|
||||
APP_KEY={{ with secret "/kv/service/bookstack" }}{{ .Data.data.app_key }}{{ end }}
|
||||
APP_LANG=fr
|
||||
APP_PROXIES=127.0.0.1
|
||||
APP_URL=https://bookstack.example.org
|
||||
|
@ -139,9 +138,9 @@ CACHE_DRIVER=database
|
|||
CACHE_PREFIX=bookstack
|
||||
DB_DATABASE=bookstack
|
||||
DB_HOST=127.0.0.1
|
||||
DB_PASSWORD={{ with secret "database/creds/bookstack" }}{{ .Data.password }}{{ end }}
|
||||
DB_PASSWORD={{ with secret "/database/creds/bookstack" }}{{ .Data.password }}{{ end }}
|
||||
DB_PORT=3306
|
||||
DB_USERNAME={{ with secret "database/creds/bookstack" }}{{ .Data.username }}{{ end }}
|
||||
DB_USERNAME={{ with secret "/database/creds/bookstack" }}{{ .Data.username }}{{ end }}
|
||||
DISABLE_EXTERNAL_SERVICES=true
|
||||
MAIL_DRIVER=smtp
|
||||
MAIL_FROM=no-reply@bookstack.example.org
|
||||
|
|
|
@ -2,7 +2,8 @@
|
|||
|
||||
set -euo pipefail
|
||||
|
||||
vault write database/roles/bookstack \
|
||||
|
||||
vault write /database/roles/bookstack \
|
||||
db_name="mariadb" \
|
||||
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \
|
||||
GRANT ALL PRIVILEGES ON bookstack.* TO '{{name}}'@'%'; \
|
||||
|
|
|
@ -2,17 +2,21 @@
|
|||
|
||||
set -euo pipefail
|
||||
|
||||
VAULT_KV_PATH=kv/service/bookstack
|
||||
# vim: syntax=sh
|
||||
|
||||
export LC_ALL=C
|
||||
VAULT_KV_PATH=/kv/service/bookstack
|
||||
RAND_CMD="echo base64:$(openssl rand -base64 32)"
|
||||
if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
|
||||
vault kv put ${VAULT_KV_PATH} \
|
||||
app_key=$(${RAND_CMD}) \
|
||||
app_key="$(sh -c "${RAND_CMD}")" \
|
||||
|
||||
fi
|
||||
for SECRET in app_key; do
|
||||
if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
|
||||
vault kv patch ${VAULT_KV_PATH} \
|
||||
${SECRET}=$(${RAND_CMD})
|
||||
${SECRET}=$(sh -c "${RAND_CMD}")
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
path "database/creds/bookstack" {
|
||||
path "/database/creds/bookstack" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "kv/data/service/bookstack" {
|
||||
path "/kv/data/service/bookstack" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
|
|
@ -2,7 +2,4 @@
|
|||
|
||||
set -euo pipefail
|
||||
|
||||
[[- template "common/vault.mkmysqlrole.sh"
|
||||
dict "ctx" .
|
||||
"config" (dict "role" .instance "database" "mariadb")
|
||||
]]
|
||||
[[ template "common/vault.mkmysqlrole.sh" merge .bookstack . ]]
|
||||
|
|
|
@ -2,4 +2,4 @@
|
|||
|
||||
set -euo pipefail
|
||||
|
||||
[[ template "common/vault.rand_secrets" dict "ctx" . "keys" (coll.Slice "app_key") "cmd" "echo base64:$(openssl rand -base64 32)" ]]
|
||||
[[ template "common/vault.rand_secrets" merge .bookstack . ]]
|
||||
|
|
|
@ -29,6 +29,12 @@ bookstack:
|
|||
policies:
|
||||
- '[[ .instance ]][[ .consul.suffix ]]'
|
||||
|
||||
# Random secrets to generate
|
||||
rand_secrets:
|
||||
cmd: echo base64:$(openssl rand -base64 32)
|
||||
fields:
|
||||
- app_key
|
||||
|
||||
# Wait for MariaDB to be ready before starting
|
||||
wait_for:
|
||||
service: mariadb[[ .consul.suffix ]]
|
||||
|
@ -44,7 +50,7 @@ bookstack:
|
|||
|
||||
# Bookstack settings (which will populate .env)
|
||||
settings:
|
||||
APP_KEY: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.app_key }}{{ end }}'
|
||||
APP_KEY: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.app_key }}{{ end }}'
|
||||
APP_URL: '[[ .bookstack.public_url ]]'
|
||||
APP_LANG: fr
|
||||
APP_PROXIES: 127.0.0.1
|
||||
|
@ -73,8 +79,8 @@ bookstack:
|
|||
host: 127.0.0.1
|
||||
port: 3306
|
||||
database: '[[ .instance ]]'
|
||||
user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
|
||||
password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
|
||||
user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
|
||||
password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
|
||||
|
||||
# Public URL on which bookstack will be available
|
||||
public_url: https://bookstack.example.org
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
|
||||
path "[[ .vault.root ]]database/creds/[[ .instance ]]" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "[[ .vault.prefix ]]kv/data/service/bookstack" {
|
||||
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue