Cleanup
This commit is contained in:
parent
33ab43c8e2
commit
87524f9256
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
vault write database/roles/onlyoffice \
|
vault write /database/roles/onlyoffice \
|
||||||
db_name="postgres" \
|
db_name="postgres" \
|
||||||
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
||||||
GRANT \"onlyoffice\" TO \"{{name}}\"; \
|
GRANT \"onlyoffice\" TO \"{{name}}\"; \
|
|
@ -123,8 +123,8 @@ job "onlyoffice" {
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
LANG=fr_FR.utf8
|
LANG=fr_FR.utf8
|
||||||
OO_JWT_TOKEN={{ with secret "kv/service/onlyoffice" }}{{ .Data.data.jwt_token }}{{ end }}
|
OO_JWT_TOKEN={{ with secret "/kv/service/onlyoffice" }}{{ .Data.data.jwt_token }}{{ end }}
|
||||||
OO_STORAGE_SECRET={{ with secret "kv/service/onlyoffice" }}{{ .Data.data.storage_secret }}{{ end }}
|
OO_STORAGE_SECRET={{ with secret "/kv/service/onlyoffice" }}{{ .Data.data.storage_secret }}{{ end }}
|
||||||
TZ=Europe/Paris
|
TZ=Europe/Paris
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/.env"
|
destination = "secrets/.env"
|
||||||
|
@ -139,8 +139,8 @@ _EOT
|
||||||
OO_DB_NAME='onlyoffice'
|
OO_DB_NAME='onlyoffice'
|
||||||
OO_DB_HOST=127.0.0.1
|
OO_DB_HOST=127.0.0.1
|
||||||
OO_DB_PORT=5432
|
OO_DB_PORT=5432
|
||||||
OO_DB_USER={{ with secret "database/creds/onlyoffice" }}{{ .Data.username }}{{ end }}
|
OO_DB_USER={{ with secret "/database/creds/onlyoffice" }}{{ .Data.username }}{{ end }}
|
||||||
OO_DB_PASS={{ with secret "database/creds/onlyoffice" }}{{ .Data.password }}{{ end }}
|
OO_DB_PASS={{ with secret "/database/creds/onlyoffice" }}{{ .Data.password }}{{ end }}
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/.db.env"
|
destination = "secrets/.db.env"
|
||||||
uid = 100000
|
uid = 100000
|
||||||
|
|
|
@ -2,17 +2,23 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
# Initialize random passwords if needed
|
# vim: syntax=sh
|
||||||
|
|
||||||
|
export LC_ALL=C
|
||||||
|
VAULT_KV_PATH=/kv/service/onlyoffice
|
||||||
|
RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
|
||||||
|
if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
|
||||||
|
vault kv put ${VAULT_KV_PATH} \
|
||||||
|
jwt_token="$(sh -c "${RAND_CMD}")" \
|
||||||
|
storage_secret="$(sh -c "${RAND_CMD}")" \
|
||||||
|
|
||||||
if ! vault kv list kv/service 2>/dev/null | grep -q -E '^onlyoffice$'; then
|
|
||||||
vault kv put kv/service/onlyoffice \
|
|
||||||
jwt_token=$(pwgen -s -n 50 1) \
|
|
||||||
storage_secret=$(pwgen -s -n 50 1)
|
|
||||||
fi
|
fi
|
||||||
|
for SECRET in jwt_token storage_secret; do
|
||||||
for PWD in jwt_token storage_secret; do
|
if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
|
||||||
if ! vault kv get -field ${PWD} kv/service/onlyoffice >/dev/null 2>&1; then
|
vault kv patch ${VAULT_KV_PATH} \
|
||||||
vault kv patch kv/service/onlyoffice \
|
${SECRET}=$(sh -c "${RAND_CMD}")
|
||||||
${PWD}=$(pwgen -s -n 50 1)
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
path "kv/data/service/onlyoffice" {
|
path "/kv/data/service/onlyoffice" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
path "database/creds/onlyoffice" {
|
path "/database/creds/onlyoffice" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
[[ template "common/vault.mkpgrole.sh" merge .oo.ds . ]]
|
|
@ -1,8 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
[[- template "common/vault.mkpgrole.sh"
|
|
||||||
dict "ctx" .
|
|
||||||
"config" (dict "role" .instance "database" "postgres")
|
|
||||||
]]
|
|
|
@ -2,17 +2,5 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
# Initialize random passwords if needed
|
[[ template "common/vault.rand_secrets" merge .oo.ds . ]]
|
||||||
|
|
||||||
if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then
|
|
||||||
vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \
|
|
||||||
jwt_token=$(pwgen -s -n 50 1) \
|
|
||||||
storage_secret=$(pwgen -s -n 50 1)
|
|
||||||
fi
|
|
||||||
|
|
||||||
for PWD in jwt_token storage_secret; do
|
|
||||||
if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then
|
|
||||||
vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \
|
|
||||||
${PWD}=$(pwgen -s -n 50 1)
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
|
@ -24,18 +24,19 @@ oo:
|
||||||
public_url: https://oods.example.org
|
public_url: https://oods.example.org
|
||||||
|
|
||||||
vault:
|
vault:
|
||||||
|
# Vault policies to attach to the task
|
||||||
policies:
|
policies:
|
||||||
- '[[ .instance ]][[ .consul.suffix ]]'
|
- '[[ .instance ]][[ .consul.suffix ]]'
|
||||||
|
# Random secrets to generate
|
||||||
postgres:
|
rand_secrets:
|
||||||
database: '[[ .instance ]]'
|
fields:
|
||||||
user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
|
- jwt_token
|
||||||
password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
|
- storage_secret
|
||||||
|
|
||||||
# Additional env vars to set in the container
|
# Additional env vars to set in the container
|
||||||
env:
|
env:
|
||||||
OO_STORAGE_SECRET: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.storage_secret }}{{ end }}'
|
OO_STORAGE_SECRET: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.storage_secret }}{{ end }}'
|
||||||
OO_JWT_TOKEN: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.jwt_token }}{{ end }}'
|
OO_JWT_TOKEN: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.jwt_token }}{{ end }}'
|
||||||
|
|
||||||
# Controls how the service will be exposed with Traefik
|
# Controls how the service will be exposed with Traefik
|
||||||
traefik:
|
traefik:
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
|
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
|
path "[[ .vault.root ]]database/creds/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue