From 429040c4fd627cc07c63a2c33257013d5b726b59 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Wed, 31 Jan 2024 15:07:04 +0100
Subject: [PATCH] Cleanup

---
 example/init/{vault-miniflux => vault-database} | 2 +-
 example/miniflux.nomad.hcl                      | 8 ++++----
 example/vault/policies/miniflux.hcl             | 4 ++--
 init/vault-database                             | 5 +++++
 init/vault-miniflux                             | 8 --------
 miniflux.nomad.hcl                              | 8 ++++----
 variables.yml                                   | 5 -----
 vault/policies/miniflux.hcl                     | 4 ++--
 8 files changed, 18 insertions(+), 26 deletions(-)
 rename example/init/{vault-miniflux => vault-database} (89%)
 create mode 100755 init/vault-database
 delete mode 100755 init/vault-miniflux

diff --git a/example/init/vault-miniflux b/example/init/vault-database
similarity index 89%
rename from example/init/vault-miniflux
rename to example/init/vault-database
index e501344..f69c8a8 100755
--- a/example/init/vault-miniflux
+++ b/example/init/vault-database
@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-vault write database/roles/miniflux \
+vault write /database/roles/miniflux \
     db_name="postgres" \
     creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
         GRANT \"miniflux\" TO \"{{name}}\"; \
diff --git a/example/miniflux.nomad.hcl b/example/miniflux.nomad.hcl
index f4772a5..54f49c9 100644
--- a/example/miniflux.nomad.hcl
+++ b/example/miniflux.nomad.hcl
@@ -69,10 +69,10 @@ job "miniflux" {
       tags = [
 
         "traefik.enable=true",
-        "traefik.http.routers.miniflux.rule=Host(`flux.example.org`)",
         "traefik.http.routers.miniflux.entrypoints=https",
-        "traefik.http.middlewares.miniflux-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
-        "traefik.http.routers.miniflux.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,miniflux-csp",
+        "traefik.http.routers.miniflux.rule=Host(`flux.example.org`)",
+        "traefik.http.middlewares.csp-miniflux.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
+        "traefik.http.routers.miniflux.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-miniflux",
 
       ]
     }
@@ -137,7 +137,7 @@ job "miniflux" {
 
       template {
         data        = <<_EOT
-DATABASE_URL=postgresql://{{ with secret "database/creds/miniflux" }}{{ .Data.username }}{{ end }}:{{ with secret "database/creds/miniflux" }}{{ urlquery .Data.password }}{{ end }}@127.0.0.1:5432/miniflux?sslmode=disable
+DATABASE_URL=postgresql://{{ with secret "/database/creds/miniflux" }}{{ .Data.username }}{{ end }}:{{ with secret "/database/creds/miniflux" }}{{ urlquery .Data.password }}{{ end }}@127.0.0.1:5432/miniflux?sslmode=disable
 _EOT
         destination = "secrets/.db.env"
         perms       = 400
diff --git a/example/vault/policies/miniflux.hcl b/example/vault/policies/miniflux.hcl
index 6987fb5..10c5eff 100644
--- a/example/vault/policies/miniflux.hcl
+++ b/example/vault/policies/miniflux.hcl
@@ -1,6 +1,6 @@
-path "kv/data/service/miniflux" {
+path "/kv/data/service/miniflux" {
   capabilities = ["read"]
 }
-path "database/creds/miniflux" {
+path "/database/creds/miniflux" {
   capabilities = ["read"]
 }
diff --git a/init/vault-database b/init/vault-database
new file mode 100755
index 0000000..92c16c0
--- /dev/null
+++ b/init/vault-database
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -euo pipefail
+
+[[ template "common/vault.mkpgrole.sh" merge .miniflux . ]]
diff --git a/init/vault-miniflux b/init/vault-miniflux
deleted file mode 100755
index a44f309..0000000
--- a/init/vault-miniflux
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-set -euo pipefail
-
-[[- template "common/vault.mkpgrole.sh"
-  dict "ctx" .
-       "config" (dict "role" .instance "database" "postgres")
-]]
diff --git a/miniflux.nomad.hcl b/miniflux.nomad.hcl
index e516f16..1afeeb5 100644
--- a/miniflux.nomad.hcl
+++ b/miniflux.nomad.hcl
@@ -1,7 +1,7 @@
-[[- $c := merge .miniflux . -]]
-
 job "[[ .instance ]]" {
 
+[[- $c := merge .miniflux . ]]
+
 [[ template "common/job_start" $c ]]
 
   group "miniflux" {
@@ -78,8 +78,8 @@ DATABASE_URL=postgresql://
 [[- end ]]
 _EOT
         destination = "secrets/.db.env"
-        perms = 400
-        env = true
+        perms       = 400
+        env         = true
       }
 
 [[ template "common/file_env" $c ]]
diff --git a/variables.yml b/variables.yml
index bd5676e..bd3f6fb 100644
--- a/variables.yml
+++ b/variables.yml
@@ -24,11 +24,6 @@ miniflux:
         - destination_name: 'postgres[[ .consul.suffix ]]'
           local_bind_port: 5432
 
-  postgres:
-    database: '[[ .instance ]]'
-    user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
-    password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
-
   vault:
     policies:
       - '[[ .instance ]][[ .consul.suffix ]]'
diff --git a/vault/policies/miniflux.hcl b/vault/policies/miniflux.hcl
index 5211edb..13790a2 100644
--- a/vault/policies/miniflux.hcl
+++ b/vault/policies/miniflux.hcl
@@ -1,6 +1,6 @@
-path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
+path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
   capabilities = ["read"]
 }
-path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
+path "[[ .vault.root ]]database/creds/[[ .instance ]]" {
   capabilities = ["read"]
 }