nomad
/
bounca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update for vault cleanup

This commit is contained in:
Daniel Berteaud 2024-01-31 12:29:56 +01:00
parent 9d8cff3214
commit 8df5891d54
11 changed files with 42 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
example/bounca.nomad.hcl
View File

@ -49,18 +49,16 @@ job "bounca" {
"traefik.enable=true",
"traefik.http.routers.bounca-public.entrypoints=https",
"traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https",
"traefik.http.routers.bounca-public.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp",
"traefik.http.middlewares.csp-bounca-public.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.routers.bounca-public.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-bounca-public",
"traefik.http.routers.bounca-public.rule=Host(`pki.example.org`) && PathPrefix(`/public`)",
"traefik.enable=true",
"traefik.http.routers.bounca.rule=Host(`pki.example.org`)",
"traefik.http.routers.bounca.entrypoints=https",
"traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https",
"traefik.http.routers.bounca.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp",
"traefik.http.routers.bounca.rule=Host(`pki.example.org`)",
"traefik.http.middlewares.csp-bounca.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.routers.bounca.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-bounca",
]
@ -135,7 +133,7 @@ job "bounca" {
template {
data = <<_EOT
BOUNCA_DB_NAME=bounca
BOUNCA_DJANGO_SECRET={{ with secret "/kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
BOUNCA_DJANGO_SECRET={{ with secret "//kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
LANG=fr_FR.utf8
TZ=Europe/Paris
_EOT
@ -191,8 +189,8 @@ _EOT
template {
data = <<_EOT
BOUNCA_DB_USER={{ with secret "/database/creds/bounca" }}{{ .Data.username }}{{ end }}
BOUNCA_DB_PASSWORD={{ with secret "/database/creds/bounca" }}{{ .Data.password }}{{ end }}
BOUNCA_DB_USER={{ with secret "//database/creds/bounca" }}{{ .Data.username }}{{ end }}
BOUNCA_DB_PASSWORD={{ with secret "//database/creds/bounca" }}{{ .Data.password }}{{ end }}
BOUNCA_DB_PORT=5432
_EOT
destination = "secrets/.db.env"
@ -246,7 +244,7 @@ _EOT
template {
data = <<_EOT
BOUNCA_DB_NAME=bounca
BOUNCA_DJANGO_SECRET={{ with secret "/kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
BOUNCA_DJANGO_SECRET={{ with secret "//kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
LANG=fr_FR.utf8
TZ=Europe/Paris
_EOT

4
example/init/vault-bounca → example/init/vault-database
View File

@ -1,8 +1,6 @@
#!/bin/sh
set -euo pipefail
vault write database/roles/bounca \
set -euo pipefailvault write /database/roles/bounca \
db_name="postgres" \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT \"bounca\" TO \"{{name}}\"; \

19
example/prep.d/10-mv-conf.sh
View File

@ -1,19 +0,0 @@
#!/bin/sh
set -eu
if [ "bounca" != "bounca" ]; then
for DIR in vault consul nomad; do
if [ -d output/${DIR} ]; then
for FILE in $(find output/${DIR} -name "*bounca*.hcl" -type f); do
NEW_FILE=$(echo "${FILE}" | sed -E "s/bounca/bounca/g")
mv "${FILE}" "${NEW_FILE}"
done
fi
done
fi

23
example/prep.d/10-rand-pwd.sh
View File

@ -2,16 +2,21 @@
set -euo pipefail
# Initialize random passwords if needed
# vim: syntax=sh
export LC_ALL=C
VAULT_KV_PATH=/kv/service/bounca
RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
vault kv put ${VAULT_KV_PATH} \
django_secret="$(sh -c "${RAND_CMD}")" \
if ! vault kv list kv/service 2>/dev/null | grep -q -E '^bounca$'; then
vault kv put kv/service/bounca \
django_secret=$(pwgen -s -n 50 1)
fi
for PWD in django_secret; do
if ! vault kv get -field ${PWD} kv/service/bounca >/dev/null 2>&1; then
vault kv patch kv/service/bounca \
${PWD}=$(pwgen -s -n 50 1)
for SECRET in django_secret; do
if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
vault kv patch ${VAULT_KV_PATH} \
${SECRET}=$(sh -c "${RAND_CMD}")
fi
done

4
example/vault/policies/bounca.hcl
View File

@ -1,7 +1,7 @@
path "kv/data/service/bounca" {
path "/kv/data/service/bounca" {
capabilities = ["read"]
}
path "database/creds/bounca" {
path "/database/creds/bounca" {
capabilities = ["read"]
}

8
init/vault-bounca
View File

@ -1,8 +0,0 @@
#!/bin/sh
set -euo pipefail
[[- template "common/vault.mkpgrole.sh.tpl"
dict "ctx" .
"config" (dict "role" .instance "database" "postgres")
]]

5
init/vault-database Executable file
View File

@ -0,0 +1,5 @@
#!/bin/sh
set -euo pipefail
[[- template "common/vault.mkpgrole.sh" merge .bounca . ]]

1
prep.d/10-mv-conf.sh
View File

@ -1 +0,0 @@
[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "bounca" .instance) ]]

14
prep.d/10-rand-pwd.sh
View File

@ -2,16 +2,4 @@
set -euo pipefail
# Initialize random passwords if needed
if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then
vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \
django_secret=$(pwgen -s -n 50 1)
fi
for PWD in django_secret; do
if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then
vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \
${PWD}=$(pwgen -s -n 50 1)
fi
done
[[ template "common/vault.rand_secrets" merge .bounca . ]]

12
variables.yml
View File

@ -8,20 +8,24 @@ bounca:
# The image to use
image: danielberteaud/bounca:latest
# Vault policies to use
vault:
# Vault policies to use
policies:
- '[[ .instance ]][[ .consul.suffix ]]'
# Random secrets to generate
rand_secrets:
fields:
- django_secret
postgres:
database: '[[ .instance ]]'
user: '{{ with secret "[[ .vault.prefix ]]/database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
password: '{{ with secret "[[ .vault.prefix ]]/database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
user: '{{ with secret "[[ .vault.root ]]/database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
password: '{{ with secret "[[ .vault.root ]]/database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
# Env variable to pass to the container
env:
BOUNCA_DB_NAME: '[[ .bounca.postgres.database ]]'
BOUNCA_DJANGO_SECRET: '{{ with secret "[[ .vault.prefix ]]/kv/service/[[ .instance ]]" }}{{ .Data.data.django_secret }}{{ end }}'
BOUNCA_DJANGO_SECRET: '{{ with secret "[[ .vault.root ]]/kv/service/[[ .instance ]]" }}{{ .Data.data.django_secret }}{{ end }}'
# Public URL where user can reach the app
public_url: https://pki.example.org

4
vault/policies/bounca.hcl
View File

@ -1,7 +1,7 @@
path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
capabilities = ["read"]
}
path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
path "[[ .vault.root ]]database/creds/[[ .instance ]]" {
capabilities = ["read"]
}