Cleanup

example/init/onlyoffice-docserver-vault-database

@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-vault write database/roles/onlyoffice \
+vault write database/roles/postgres-onlyoffice \
     db_name="postgres" \
     creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
         GRANT \"onlyoffice\" TO \"{{name}}\"; \

example/onlyoffice-docserver.nomad.hcl

@@ -169,8 +169,8 @@ _EOT
 OO_DB_NAME='onlyoffice'
 OO_DB_HOST=127.0.0.1
 OO_DB_PORT=5432
-OO_DB_USER={{ with secret "database/creds/onlyoffice" }}{{ .Data.username }}{{ end }}
-OO_DB_PASS={{ with secret "database/creds/onlyoffice" }}{{ .Data.password }}{{ end }}
+OO_DB_USER={{ with secret "database/creds/postgres-onlyoffice" }}{{ .Data.username }}{{ end }}
+OO_DB_PASS={{ with secret "database/creds/postgres-onlyoffice" }}{{ .Data.password }}{{ end }}
 _EOT
         destination = "secrets/.db.env"
         uid         = 0

example/vault/policies/onlyoffice.hcl

@@ -2,7 +2,7 @@ path "kv/data/service/onlyoffice" {
   capabilities = ["read"]
 }
 
-path "database/creds/onlyoffice" {
+path "database/creds/postgres-onlyoffice" {
   capabilities = ["read"]
 }
 

variables.yml

@@ -25,11 +25,6 @@ oo:
     public_url: https://oods.example.org
 
     vault:
-      workload_identity:
-        role:
-          # Vault policies to attach to the task
-          token_policies:
-            - '[[ .instance ]][[ .consul.suffix ]]'
       # Random secrets to generate
       rand_secrets:
         fields:

vault/policies/onlyoffice.hcl

@@ -2,7 +2,7 @@ path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
   capabilities = ["read"]
 }
 
-path "[[ .vault.root ]]database/creds/[[ .instance ]]" {
+path "[[ .vault.root ]]database/creds/postgres-[[ .vault.database.role ]]" {
   capabilities = ["read"]
 }