Cleanup

example/init/vault-database

@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-vault write database/roles/lemonldap-ng \
+vault write /database/roles/lemonldap-ng \
     db_name="postgres" \
     creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
         GRANT \"lemonldap-ng\" TO \"{{name}}\"; \

example/lemonldap-ng.nomad.hcl

@@ -58,8 +58,8 @@ job "lemonldap-ng" {
 
 
         "traefik.enable=true",
-        "traefik.http.routers.lemonldap-ng-manager.rule=Host(`manager.example.org`)",
         "traefik.http.routers.lemonldap-ng-manager.entrypoints=https",
+        "traefik.http.routers.lemonldap-ng-manager.rule=Host(`manager.example.org`)",
         "traefik.http.routers.lemonldap-ng-manager.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file",
 
 
@@ -274,8 +274,8 @@ PGHOST=127.0.0.1
 PGDATABASE=lemonldap-ng
 PGSSLMODE=disable
 PGPORT=5432
-PGUSER={{ with secret "database/creds/lemonldap-ng" }}{{ .Data.username }}{{ end }}
-PGPASSWORD={{ with secret "database/creds/lemonldap-ng" }}{{ .Data.password }}{{ end }}
+PGUSER={{ with secret "/database/creds/lemonldap-ng" }}{{ .Data.username }}{{ end }}
+PGPASSWORD={{ with secret "/database/creds/lemonldap-ng" }}{{ .Data.password }}{{ end }}
 _EOT
         destination = "secrets/.db.env"
         uid         = 100000

example/prep.d/10-mv-conf.sh

@@ -1,19 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-
-
-if [ "lemonldap-ng" != "lemonldap-ng" ]; then
-  for DIR in vault consul nomad; do
-    if [ -d output/${DIR} ]; then
-      for FILE in $(find output/${DIR} -name "*lemonldap-ng*.hcl" -type f); do
-        NEW_FILE=$(echo "${FILE}" | sed -E "s/lemonldap-ng/lemonldap-ng/g")
-        mv "${FILE}" "${NEW_FILE}"
-      done
-    fi
-  done
-fi
-
-
-

example/vault/policies/lemonldap-ng.hcl

@@ -1,7 +1,7 @@
-path "kv/sevrice/lemonldap-ng" {
+path "/kv/sevrice/lemonldap-ng" {
   capabilities = ["read"]
 }
 
-path "database/creds/lemonldap-ng" {
+path "/database/creds/lemonldap-ng" {
   capabilities = ["read"]
 }

init/vault-database

@@ -2,7 +2,4 @@
 
 set -euo pipefail
 
-[[- template "common/vault.mkpgrole.sh"
-  dict "ctx" .
-       "config" (dict "role" .instance "database" "postgres")
-]]
+[[ template "common/vault.mkpgrole.sh" merge .llng.engine . ]]

prep.d/10-mv-conf.sh

@@ -1 +0,0 @@
-[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "lemonldap-ng" .instance) ]]

variables.yml

@@ -42,8 +42,8 @@ llng:
     # Database settings
     postgres:
       database: '[[ .instance ]]'
-      user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
-      password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
+      user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
+      password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
 
     # Additional env vars to pass to the container
     env:
@@ -123,7 +123,7 @@ llng:
       # Disable default CSP as Lemonldap::NG handle CSP itself
       csp: false
 
-      router: '[[ .instance ]]-manager[[ .consul.suffix ]]'
+      router: manager
 
   # The API is exposed by the portal, but usually must be secured differently
   # The following settings only apply to the REST/SOAP API
@@ -141,5 +141,5 @@ llng:
         compression: false
 
       auto_rule: false
-      router: '[[ .instance ]]-api[[ .consul.suffix ]]'
+      router: api
 

vault/policies/lemonldap-ng.hcl

@@ -1,7 +1,7 @@
-path "[[ .vault.prefix ]]kv/sevrice/[[ .instance ]]" {
+path "[[ .vault.root ]]kv/sevrice/[[ .instance ]]" {
   capabilities = ["read"]
 }
 
-path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
+path "[[ .vault.root ]]database/creds/[[ .instance ]]" {
   capabilities = ["read"]
 }