Cleanup

2024-01-31 15:15:52 +01:00 · 2024-01-31 15:15:52 +01:00 · 87524f9256
parent 33ab43c8e2
commit 87524f9256
9 changed files with 39 additions and 47 deletions
--- a/example/init/vault-onlyoffice-docserver
+++ b/example/init/vault-onlyoffice-docserver
@ -2,7 +2,7 @@

 set -euo pipefail

-vault write database/roles/onlyoffice \
+vault write /database/roles/onlyoffice \
    db_name="postgres" \
    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
        GRANT \"onlyoffice\" TO \"{{name}}\"; \
--- a/example/onlyoffice-docserver.nomad.hcl
+++ b/example/onlyoffice-docserver.nomad.hcl
@ -123,8 +123,8 @@ job "onlyoffice" {
      template {
        data        = <<_EOT
 LANG=fr_FR.utf8
-OO_JWT_TOKEN={{ with secret "kv/service/onlyoffice" }}{{ .Data.data.jwt_token }}{{ end }}
-OO_STORAGE_SECRET={{ with secret "kv/service/onlyoffice" }}{{ .Data.data.storage_secret }}{{ end }}
+OO_JWT_TOKEN={{ with secret "/kv/service/onlyoffice" }}{{ .Data.data.jwt_token }}{{ end }}
+OO_STORAGE_SECRET={{ with secret "/kv/service/onlyoffice" }}{{ .Data.data.storage_secret }}{{ end }}
 TZ=Europe/Paris
 _EOT
        destination = "secrets/.env"
@ -139,8 +139,8 @@ _EOT
 OO_DB_NAME='onlyoffice'
 OO_DB_HOST=127.0.0.1
 OO_DB_PORT=5432
-OO_DB_USER={{ with secret "database/creds/onlyoffice" }}{{ .Data.username }}{{ end }}
-OO_DB_PASS={{ with secret "database/creds/onlyoffice" }}{{ .Data.password }}{{ end }}
+OO_DB_USER={{ with secret "/database/creds/onlyoffice" }}{{ .Data.username }}{{ end }}
+OO_DB_PASS={{ with secret "/database/creds/onlyoffice" }}{{ .Data.password }}{{ end }}
 _EOT
        destination = "secrets/.db.env"
        uid         = 100000
--- a/example/prep.d/20-rand-keys.sh
+++ b/example/prep.d/20-rand-keys.sh
@ -2,17 +2,23 @@

 set -euo pipefail

-# Initialize random passwords if needed
+# vim: syntax=sh
+
+export LC_ALL=C
+VAULT_KV_PATH=/kv/service/onlyoffice
+RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
+if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
+  vault kv put ${VAULT_KV_PATH} \
+    jwt_token="$(sh -c "${RAND_CMD}")" \
+    storage_secret="$(sh -c "${RAND_CMD}")" \

-if ! vault kv list kv/service 2>/dev/null | grep -q -E '^onlyoffice$'; then
-  vault kv put kv/service/onlyoffice \
-    jwt_token=$(pwgen -s -n 50 1) \
-    storage_secret=$(pwgen -s -n 50 1)
 fi
-
-for PWD in jwt_token storage_secret; do
-  if ! vault kv get -field ${PWD} kv/service/onlyoffice >/dev/null 2>&1; then
-    vault kv patch kv/service/onlyoffice \
-      ${PWD}=$(pwgen -s -n 50 1)
+for SECRET in jwt_token storage_secret; do
+  if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
+    vault kv patch ${VAULT_KV_PATH} \
+      ${SECRET}=$(sh -c "${RAND_CMD}")
  fi
 done
+
+
+
--- a/example/vault/policies/onlyoffice.hcl
+++ b/example/vault/policies/onlyoffice.hcl
@ -1,8 +1,8 @@
-path "kv/data/service/onlyoffice" {
+path "/kv/data/service/onlyoffice" {
  capabilities = ["read"]
 }

-path "database/creds/onlyoffice" {
+path "/database/creds/onlyoffice" {
  capabilities = ["read"]
 }

--- a/init/vault-database
+++ b/init/vault-database
@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -euo pipefail
+
+[[ template "common/vault.mkpgrole.sh" merge .oo.ds . ]]
--- a/init/vault-onlyoffice-docserver
+++ b/init/vault-onlyoffice-docserver
@ -1,8 +0,0 @@
-#!/bin/sh
-
-set -euo pipefail
-
-[[- template "common/vault.mkpgrole.sh"
-  dict "ctx" .
-       "config" (dict "role" .instance "database" "postgres")
-]]
--- a/prep.d/20-rand-keys.sh
+++ b/prep.d/20-rand-keys.sh
@ -2,17 +2,5 @@

 set -euo pipefail

-# Initialize random passwords if needed
+[[ template "common/vault.rand_secrets" merge .oo.ds . ]]

-if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then
-  vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \
-    jwt_token=$(pwgen -s -n 50 1) \
-    storage_secret=$(pwgen -s -n 50 1)
-fi
-
-for PWD in jwt_token storage_secret; do
-  if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then
-    vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \
-      ${PWD}=$(pwgen -s -n 50 1)
-  fi
-done
--- a/variables.yml
+++ b/variables.yml
@ -24,18 +24,19 @@ oo:
    public_url: https://oods.example.org

    vault:
+      # Vault policies to attach to the task
      policies:
        - '[[ .instance ]][[ .consul.suffix ]]'
-
-    postgres:
-      database: '[[ .instance ]]'
-      user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
-      password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
+      # Random secrets to generate
+      rand_secrets:
+        fields:
+          - jwt_token
+          - storage_secret

    # Additional env vars to set in the container
    env:
-      OO_STORAGE_SECRET: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.storage_secret }}{{ end }}'
-      OO_JWT_TOKEN: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.jwt_token }}{{ end }}'
+      OO_STORAGE_SECRET: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.storage_secret }}{{ end }}'
+      OO_JWT_TOKEN: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.jwt_token }}{{ end }}'

    # Controls how the service will be exposed with Traefik
    traefik:
--- a/vault/policies/onlyoffice.hcl
+++ b/vault/policies/onlyoffice.hcl
@ -1,8 +1,8 @@
-path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
+path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
  capabilities = ["read"]
 }

-path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
+path "[[ .vault.root ]]database/creds/[[ .instance ]]" {
  capabilities = ["read"]
 }