From 4cbaee8c844b82eee974014e64042bd2d103c24f Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Wed, 31 Jan 2024 13:50:03 +0100 Subject: [PATCH] Cleanup --- example/immich.nomad.hcl | 17 +++++++++-------- example/init/vault-database | 2 +- example/prep.d/10-mv-conf.sh | 19 ------------------- example/vault/policies/immich.hcl | 4 ++-- immich.nomad.hcl | 5 +++-- init/vault-database | 5 +---- prep.d/10-mv-conf.sh | 1 - variables.yml | 7 +++---- vault/policies/immich.hcl | 4 ++-- 9 files changed, 21 insertions(+), 43 deletions(-) delete mode 100755 example/prep.d/10-mv-conf.sh delete mode 100755 prep.d/10-mv-conf.sh diff --git a/example/immich.nomad.hcl b/example/immich.nomad.hcl index 28471e4..60f08b0 100644 --- a/example/immich.nomad.hcl +++ b/example/immich.nomad.hcl @@ -75,17 +75,18 @@ job "immich" { tags = [ "traefik.enable=true", - "traefik.http.routers.immich.rule=Host(`immich.example.org`)", "traefik.http.routers.immich.entrypoints=https", - "traefik.http.middlewares.immich-csp.headers.contentsecuritypolicy=connect-src 'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org;default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", - "traefik.http.routers.immich.middlewares=security-headers@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,immich-csp", + "traefik.http.routers.immich.rule=Host(`immich.example.org`)", + "traefik.http.middlewares.csp-immich.headers.contentsecuritypolicy=connect-src 'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org;default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", + "traefik.http.routers.immich.middlewares=security-headers@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-immich", - "traefik.http.routers.immich-share.rule=Host(`immich.example.org`) && PathRegexp(`^/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/)", + + "traefik.http.routers.share.rule=Host(`immich.example.org`) && PathRegexp(`^/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/.*)`)", "traefik.enable=true", "traefik.http.routers.immich-share.entrypoints=https", - "traefik.http.middlewares.immich-csp.headers.contentsecuritypolicy=connect-src 'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org;default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", - "traefik.http.routers.immich-share.middlewares=security-headers@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,immich-csp", + "traefik.http.middlewares.csp-immich-share.headers.contentsecuritypolicy=connect-src 'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org;default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", + "traefik.http.routers.immich-share.middlewares=security-headers@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-immich-share", ] } @@ -165,7 +166,7 @@ _EOT template { data = <<_EOT -DB_URL=postgres://{{ with secret "database/creds/immich" }}{{ .Data.username }}{{ end }}:{{ with secret "database/creds/immich" }}{{ .Data.password }}{{ end }}@127.0.0.1:5432/immich +DB_URL=postgres://{{ with secret "/database/creds/immich" }}{{ .Data.username }}{{ end }}:{{ with secret "/database/creds/immich" }}{{ .Data.password }}{{ end }}@127.0.0.1:5432/immich _EOT destination = "secrets/.db.env" perms = 400 @@ -231,7 +232,7 @@ _EOT template { data = <<_EOT -DB_URL=postgres://{{ with secret "database/creds/immich" }}{{ .Data.username }}{{ end }}:{{ with secret "database/creds/immich" }}{{ .Data.password }}{{ end }}@127.0.0.1:5432/immich +DB_URL=postgres://{{ with secret "/database/creds/immich" }}{{ .Data.username }}{{ end }}:{{ with secret "/database/creds/immich" }}{{ .Data.password }}{{ end }}@127.0.0.1:5432/immich _EOT destination = "secrets/.db.env" perms = 400 diff --git a/example/init/vault-database b/example/init/vault-database index bf75d1c..6220163 100755 --- a/example/init/vault-database +++ b/example/init/vault-database @@ -2,7 +2,7 @@ set -euo pipefail -vault write database/roles/immich \ +vault write /database/roles/immich \ db_name="postgres" \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT \"immich\" TO \"{{name}}\"; \ diff --git a/example/prep.d/10-mv-conf.sh b/example/prep.d/10-mv-conf.sh deleted file mode 100755 index 58cf3bc..0000000 --- a/example/prep.d/10-mv-conf.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh - -set -eu - - - -if [ "immich" != "immich" ]; then - for DIR in vault consul nomad; do - if [ -d output/${DIR} ]; then - for FILE in $(find output/${DIR} -name "*immich*.hcl" -type f); do - NEW_FILE=$(echo "${FILE}" | sed -E "s/immich/immich/g") - mv "${FILE}" "${NEW_FILE}" - done - fi - done -fi - - - diff --git a/example/vault/policies/immich.hcl b/example/vault/policies/immich.hcl index 112e1a7..665ba9f 100644 --- a/example/vault/policies/immich.hcl +++ b/example/vault/policies/immich.hcl @@ -1,7 +1,7 @@ -path "database/creds/immich" { +path "/database/creds/immich" { capabilities = ["read"] } -path "kv/data/service/immich" { +path "/kv/data/service/immich" { capabilities = ["read"] } diff --git a/immich.nomad.hcl b/immich.nomad.hcl index 3b65003..444aa05 100644 --- a/immich.nomad.hcl +++ b/immich.nomad.hcl @@ -35,8 +35,9 @@ job "[[ .instance ]]" { tags = [ [[ template "common/traefik_tags" $c ]] [[- $s := merge $c.share $c ]] - "[[ $s.traefik.instance ]].http.routers.[[ $s.traefik.router ]].rule=Host(`[[ (urlParse $s.public_url).Hostname ]]`) && PathRegexp(`^[[ (urlParse $s.public_url).Path ]]/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/)", -[[ template "common/traefik_tags" merge $s ]] + + "[[ $s.traefik.instance ]].http.routers.[[ $s.traefik.router ]].rule=Host(`[[ (urlParse $s.public_url).Hostname ]]`) && PathRegexp(`^[[ (urlParse $s.public_url).Path ]]/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/.*)`)", +[[ template "common/traefik_tags" $s ]] ] } diff --git a/init/vault-database b/init/vault-database index a44f309..d8dd321 100755 --- a/init/vault-database +++ b/init/vault-database @@ -2,7 +2,4 @@ set -euo pipefail -[[- template "common/vault.mkpgrole.sh" - dict "ctx" . - "config" (dict "role" .instance "database" "postgres") -]] +[[ template "common/vault.mkpgrole.sh" merge .immich . ]] diff --git a/prep.d/10-mv-conf.sh b/prep.d/10-mv-conf.sh deleted file mode 100755 index 538c6e6..0000000 --- a/prep.d/10-mv-conf.sh +++ /dev/null @@ -1 +0,0 @@ -[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "immich" .instance) ]] diff --git a/variables.yml b/variables.yml index 0d47fd9..98c00cd 100644 --- a/variables.yml +++ b/variables.yml @@ -10,8 +10,8 @@ immich: postgres: database: '[[ .instance ]]' - user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}' - password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}' + user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}' + password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}' # API server settings server: @@ -64,7 +64,7 @@ immich: share: traefik: auto_rule: false - router: '[[ .instance ]]-share[[ .consul.suffix ]]' + router: share # Volumes used for data storage volumes: @@ -81,7 +81,6 @@ immich: # Env vars to set in the container env: - #DB_URL: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}postgres://{{ .Data.username }}:{{ urlquery .Data.password }}@localhost:5432/[[ .instance ]]{{ end }}' NODE_OPTIONS: --max-old-space-size={{ env "NOMAD_MEMORY_LIMIT" }} vault: diff --git a/vault/policies/immich.hcl b/vault/policies/immich.hcl index 5dde288..493c8de 100644 --- a/vault/policies/immich.hcl +++ b/vault/policies/immich.hcl @@ -1,7 +1,7 @@ -path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" { +path "[[ .vault.root ]]database/creds/[[ .instance ]]" { capabilities = ["read"] } -path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" { +path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" { capabilities = ["read"] }