Adapt to new vault templates
This commit is contained in:
parent
37fcbf6c32
commit
65fa3398f6
|
@ -61,11 +61,10 @@ job "bookstack" {
|
||||||
tags = [
|
tags = [
|
||||||
|
|
||||||
"traefik.enable=true",
|
"traefik.enable=true",
|
||||||
"traefik.http.routers.bookstack.rule=Host(`bookstack.example.org`)",
|
|
||||||
"traefik.http.routers.bookstack.entrypoints=https",
|
"traefik.http.routers.bookstack.entrypoints=https",
|
||||||
"traefik.http.middlewares.bookstack-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
"traefik.http.routers.bookstack.rule=Host(`bookstack.example.org`)",
|
||||||
"traefik.http.middlewares.bookstack-proxy.headers.customrequestheaders.X-Forwarded-Proto=https",
|
"traefik.http.middlewares.csp-bookstack.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||||
"traefik.http.routers.bookstack.middlewares=security-headers@file,rate-limit-std@file,bookstack-proxy,inflight-std@file,hsts@file,compression@file,bookstack-csp",
|
"traefik.http.routers.bookstack.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-bookstack",
|
||||||
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -131,7 +130,7 @@ _EOT
|
||||||
# So, publish BookStack settings here
|
# So, publish BookStack settings here
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
APP_KEY={{ with secret "kv/service/bookstack" }}{{ .Data.data.app_key }}{{ end }}
|
APP_KEY={{ with secret "/kv/service/bookstack" }}{{ .Data.data.app_key }}{{ end }}
|
||||||
APP_LANG=fr
|
APP_LANG=fr
|
||||||
APP_PROXIES=127.0.0.1
|
APP_PROXIES=127.0.0.1
|
||||||
APP_URL=https://bookstack.example.org
|
APP_URL=https://bookstack.example.org
|
||||||
|
@ -139,9 +138,9 @@ CACHE_DRIVER=database
|
||||||
CACHE_PREFIX=bookstack
|
CACHE_PREFIX=bookstack
|
||||||
DB_DATABASE=bookstack
|
DB_DATABASE=bookstack
|
||||||
DB_HOST=127.0.0.1
|
DB_HOST=127.0.0.1
|
||||||
DB_PASSWORD={{ with secret "database/creds/bookstack" }}{{ .Data.password }}{{ end }}
|
DB_PASSWORD={{ with secret "/database/creds/bookstack" }}{{ .Data.password }}{{ end }}
|
||||||
DB_PORT=3306
|
DB_PORT=3306
|
||||||
DB_USERNAME={{ with secret "database/creds/bookstack" }}{{ .Data.username }}{{ end }}
|
DB_USERNAME={{ with secret "/database/creds/bookstack" }}{{ .Data.username }}{{ end }}
|
||||||
DISABLE_EXTERNAL_SERVICES=true
|
DISABLE_EXTERNAL_SERVICES=true
|
||||||
MAIL_DRIVER=smtp
|
MAIL_DRIVER=smtp
|
||||||
MAIL_FROM=no-reply@bookstack.example.org
|
MAIL_FROM=no-reply@bookstack.example.org
|
||||||
|
|
|
@ -2,7 +2,8 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
vault write database/roles/bookstack \
|
|
||||||
|
vault write /database/roles/bookstack \
|
||||||
db_name="mariadb" \
|
db_name="mariadb" \
|
||||||
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \
|
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \
|
||||||
GRANT ALL PRIVILEGES ON bookstack.* TO '{{name}}'@'%'; \
|
GRANT ALL PRIVILEGES ON bookstack.* TO '{{name}}'@'%'; \
|
||||||
|
|
|
@ -2,17 +2,21 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
VAULT_KV_PATH=kv/service/bookstack
|
# vim: syntax=sh
|
||||||
|
|
||||||
|
export LC_ALL=C
|
||||||
|
VAULT_KV_PATH=/kv/service/bookstack
|
||||||
RAND_CMD="echo base64:$(openssl rand -base64 32)"
|
RAND_CMD="echo base64:$(openssl rand -base64 32)"
|
||||||
if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
|
if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
|
||||||
vault kv put ${VAULT_KV_PATH} \
|
vault kv put ${VAULT_KV_PATH} \
|
||||||
app_key=$(${RAND_CMD}) \
|
app_key="$(sh -c "${RAND_CMD}")" \
|
||||||
|
|
||||||
fi
|
fi
|
||||||
for SECRET in app_key; do
|
for SECRET in app_key; do
|
||||||
if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
|
if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
|
||||||
vault kv patch ${VAULT_KV_PATH} \
|
vault kv patch ${VAULT_KV_PATH} \
|
||||||
${SECRET}=$(${RAND_CMD})
|
${SECRET}=$(sh -c "${RAND_CMD}")
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
path "database/creds/bookstack" {
|
path "/database/creds/bookstack" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
path "kv/data/service/bookstack" {
|
path "/kv/data/service/bookstack" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,7 +2,4 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
[[- template "common/vault.mkmysqlrole.sh"
|
[[ template "common/vault.mkmysqlrole.sh" merge .bookstack . ]]
|
||||||
dict "ctx" .
|
|
||||||
"config" (dict "role" .instance "database" "mariadb")
|
|
||||||
]]
|
|
||||||
|
|
|
@ -2,4 +2,4 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
[[ template "common/vault.rand_secrets" dict "ctx" . "keys" (coll.Slice "app_key") "cmd" "echo base64:$(openssl rand -base64 32)" ]]
|
[[ template "common/vault.rand_secrets" merge .bookstack . ]]
|
||||||
|
|
|
@ -29,6 +29,12 @@ bookstack:
|
||||||
policies:
|
policies:
|
||||||
- '[[ .instance ]][[ .consul.suffix ]]'
|
- '[[ .instance ]][[ .consul.suffix ]]'
|
||||||
|
|
||||||
|
# Random secrets to generate
|
||||||
|
rand_secrets:
|
||||||
|
cmd: echo base64:$(openssl rand -base64 32)
|
||||||
|
fields:
|
||||||
|
- app_key
|
||||||
|
|
||||||
# Wait for MariaDB to be ready before starting
|
# Wait for MariaDB to be ready before starting
|
||||||
wait_for:
|
wait_for:
|
||||||
service: mariadb[[ .consul.suffix ]]
|
service: mariadb[[ .consul.suffix ]]
|
||||||
|
@ -44,7 +50,7 @@ bookstack:
|
||||||
|
|
||||||
# Bookstack settings (which will populate .env)
|
# Bookstack settings (which will populate .env)
|
||||||
settings:
|
settings:
|
||||||
APP_KEY: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.app_key }}{{ end }}'
|
APP_KEY: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.app_key }}{{ end }}'
|
||||||
APP_URL: '[[ .bookstack.public_url ]]'
|
APP_URL: '[[ .bookstack.public_url ]]'
|
||||||
APP_LANG: fr
|
APP_LANG: fr
|
||||||
APP_PROXIES: 127.0.0.1
|
APP_PROXIES: 127.0.0.1
|
||||||
|
@ -73,8 +79,8 @@ bookstack:
|
||||||
host: 127.0.0.1
|
host: 127.0.0.1
|
||||||
port: 3306
|
port: 3306
|
||||||
database: '[[ .instance ]]'
|
database: '[[ .instance ]]'
|
||||||
user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
|
user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
|
||||||
password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
|
password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
|
||||||
|
|
||||||
# Public URL on which bookstack will be available
|
# Public URL on which bookstack will be available
|
||||||
public_url: https://bookstack.example.org
|
public_url: https://bookstack.example.org
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
|
path "[[ .vault.root ]]database/creds/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
path "[[ .vault.prefix ]]kv/data/service/bookstack" {
|
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue