Cleanup
This commit is contained in:
parent
18114b36db
commit
429040c4fd
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
vault write database/roles/miniflux \
|
vault write /database/roles/miniflux \
|
||||||
db_name="postgres" \
|
db_name="postgres" \
|
||||||
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
||||||
GRANT \"miniflux\" TO \"{{name}}\"; \
|
GRANT \"miniflux\" TO \"{{name}}\"; \
|
|
@ -69,10 +69,10 @@ job "miniflux" {
|
||||||
tags = [
|
tags = [
|
||||||
|
|
||||||
"traefik.enable=true",
|
"traefik.enable=true",
|
||||||
"traefik.http.routers.miniflux.rule=Host(`flux.example.org`)",
|
|
||||||
"traefik.http.routers.miniflux.entrypoints=https",
|
"traefik.http.routers.miniflux.entrypoints=https",
|
||||||
"traefik.http.middlewares.miniflux-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
"traefik.http.routers.miniflux.rule=Host(`flux.example.org`)",
|
||||||
"traefik.http.routers.miniflux.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,miniflux-csp",
|
"traefik.http.middlewares.csp-miniflux.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||||
|
"traefik.http.routers.miniflux.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-miniflux",
|
||||||
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -137,7 +137,7 @@ job "miniflux" {
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
DATABASE_URL=postgresql://{{ with secret "database/creds/miniflux" }}{{ .Data.username }}{{ end }}:{{ with secret "database/creds/miniflux" }}{{ urlquery .Data.password }}{{ end }}@127.0.0.1:5432/miniflux?sslmode=disable
|
DATABASE_URL=postgresql://{{ with secret "/database/creds/miniflux" }}{{ .Data.username }}{{ end }}:{{ with secret "/database/creds/miniflux" }}{{ urlquery .Data.password }}{{ end }}@127.0.0.1:5432/miniflux?sslmode=disable
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/.db.env"
|
destination = "secrets/.db.env"
|
||||||
perms = 400
|
perms = 400
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
path "kv/data/service/miniflux" {
|
path "/kv/data/service/miniflux" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
path "database/creds/miniflux" {
|
path "/database/creds/miniflux" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
[[ template "common/vault.mkpgrole.sh" merge .miniflux . ]]
|
|
@ -1,8 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
[[- template "common/vault.mkpgrole.sh"
|
|
||||||
dict "ctx" .
|
|
||||||
"config" (dict "role" .instance "database" "postgres")
|
|
||||||
]]
|
|
|
@ -1,7 +1,7 @@
|
||||||
[[- $c := merge .miniflux . -]]
|
|
||||||
|
|
||||||
job "[[ .instance ]]" {
|
job "[[ .instance ]]" {
|
||||||
|
|
||||||
|
[[- $c := merge .miniflux . ]]
|
||||||
|
|
||||||
[[ template "common/job_start" $c ]]
|
[[ template "common/job_start" $c ]]
|
||||||
|
|
||||||
group "miniflux" {
|
group "miniflux" {
|
||||||
|
@ -78,8 +78,8 @@ DATABASE_URL=postgresql://
|
||||||
[[- end ]]
|
[[- end ]]
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/.db.env"
|
destination = "secrets/.db.env"
|
||||||
perms = 400
|
perms = 400
|
||||||
env = true
|
env = true
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/file_env" $c ]]
|
[[ template "common/file_env" $c ]]
|
||||||
|
|
|
@ -24,11 +24,6 @@ miniflux:
|
||||||
- destination_name: 'postgres[[ .consul.suffix ]]'
|
- destination_name: 'postgres[[ .consul.suffix ]]'
|
||||||
local_bind_port: 5432
|
local_bind_port: 5432
|
||||||
|
|
||||||
postgres:
|
|
||||||
database: '[[ .instance ]]'
|
|
||||||
user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
|
|
||||||
password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
|
|
||||||
|
|
||||||
vault:
|
vault:
|
||||||
policies:
|
policies:
|
||||||
- '[[ .instance ]][[ .consul.suffix ]]'
|
- '[[ .instance ]][[ .consul.suffix ]]'
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
|
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
|
path "[[ .vault.root ]]database/creds/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue