diff --git a/example/init/vault-database b/example/init/vault-database index c21bae4..efa564f 100755 --- a/example/init/vault-database +++ b/example/init/vault-database @@ -2,7 +2,7 @@ set -euo pipefail -vault write database/roles/paperless \ +vault write /database/roles/paperless \ db_name="postgres" \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT \"paperless\" TO \"{{name}}\"; \ diff --git a/example/paperless-ngx.nomad.hcl b/example/paperless-ngx.nomad.hcl index 2feff71..a4a3f78 100644 --- a/example/paperless-ngx.nomad.hcl +++ b/example/paperless-ngx.nomad.hcl @@ -61,10 +61,10 @@ job "paperless" { tags = [ "traefik.enable=true", - "traefik.http.routers.paperless.rule=Host(`paperless.example.org`)", "traefik.http.routers.paperless.entrypoints=https", - "traefik.http.middlewares.paperless-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", - "traefik.http.routers.paperless.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,paperless-csp", + "traefik.http.routers.paperless.rule=Host(`paperless.example.org`)", + "traefik.http.middlewares.csp-paperless.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", + "traefik.http.routers.paperless.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-paperless", ] } @@ -166,7 +166,7 @@ PAPERLESS_CONVERT_TMPDIR=/alloc/data PAPERLESS_CORS_ALLOWED_HOSTS=https://paperless.example.org PAPERLESS_ENABLE_COMPRESSION=false PAPERLESS_PROXY_SSL_HEADER='["HTTP_X_FORWARDED_PROTO", "https"]' -PAPERLESS_SECRET_KEY={{ with secret "kv/service/paperless" }}{{ .Data.data.secret_key }}{{ end }} +PAPERLESS_SECRET_KEY={{ with secret "/kv/service/paperless" }}{{ .Data.data.secret_key }}{{ end }} PAPERLESS_TRUSTED_PROXIES=127.0.0.1 PAPERLESS_URL=https://paperless.example.org PAPERLESS_USE_X_FORWARD_HOST=true @@ -182,8 +182,8 @@ _EOT data = <<_EOT PAPERLESS_DBHOST=127.0.0.1 PAPERLESS_DBPORT=5432 -PAPERLESS_DBUSER={{ with secret "database/creds/paperless" }}{{ .Data.username }}{{ end }} -PAPERLESS_DBPASS={{ with secret "database/creds/paperless" }}{{ .Data.password }}{{ end }} +PAPERLESS_DBUSER={{ with secret "/database/creds/paperless" }}{{ .Data.username }}{{ end }} +PAPERLESS_DBPASS={{ with secret "/database/creds/paperless" }}{{ .Data.password }}{{ end }} _EOT destination = "secrets/.db.env" perms = 400 @@ -243,7 +243,7 @@ PAPERLESS_CONVERT_TMPDIR=/alloc/data PAPERLESS_CORS_ALLOWED_HOSTS=https://paperless.example.org PAPERLESS_ENABLE_COMPRESSION=false PAPERLESS_PROXY_SSL_HEADER='["HTTP_X_FORWARDED_PROTO", "https"]' -PAPERLESS_SECRET_KEY={{ with secret "kv/service/paperless" }}{{ .Data.data.secret_key }}{{ end }} +PAPERLESS_SECRET_KEY={{ with secret "/kv/service/paperless" }}{{ .Data.data.secret_key }}{{ end }} PAPERLESS_TRUSTED_PROXIES=127.0.0.1 PAPERLESS_URL=https://paperless.example.org PAPERLESS_USE_X_FORWARD_HOST=true @@ -259,8 +259,8 @@ _EOT data = <<_EOT PAPERLESS_DBHOST=127.0.0.1 PAPERLESS_DBPORT=5432 -PAPERLESS_DBUSER={{ with secret "database/creds/paperless" }}{{ .Data.username }}{{ end }} -PAPERLESS_DBPASS={{ with secret "database/creds/paperless" }}{{ .Data.password }}{{ end }} +PAPERLESS_DBUSER={{ with secret "/database/creds/paperless" }}{{ .Data.username }}{{ end }} +PAPERLESS_DBPASS={{ with secret "/database/creds/paperless" }}{{ .Data.password }}{{ end }} _EOT destination = "secrets/.db.env" perms = 400 @@ -322,7 +322,7 @@ PAPERLESS_CONVERT_TMPDIR=/alloc/data PAPERLESS_CORS_ALLOWED_HOSTS=https://paperless.example.org PAPERLESS_ENABLE_COMPRESSION=false PAPERLESS_PROXY_SSL_HEADER='["HTTP_X_FORWARDED_PROTO", "https"]' -PAPERLESS_SECRET_KEY={{ with secret "kv/service/paperless" }}{{ .Data.data.secret_key }}{{ end }} +PAPERLESS_SECRET_KEY={{ with secret "/kv/service/paperless" }}{{ .Data.data.secret_key }}{{ end }} PAPERLESS_TRUSTED_PROXIES=127.0.0.1 PAPERLESS_URL=https://paperless.example.org PAPERLESS_USE_X_FORWARD_HOST=true @@ -338,8 +338,8 @@ _EOT data = <<_EOT PAPERLESS_DBHOST=127.0.0.1 PAPERLESS_DBPORT=5432 -PAPERLESS_DBUSER={{ with secret "database/creds/paperless" }}{{ .Data.username }}{{ end }} -PAPERLESS_DBPASS={{ with secret "database/creds/paperless" }}{{ .Data.password }}{{ end }} +PAPERLESS_DBUSER={{ with secret "/database/creds/paperless" }}{{ .Data.username }}{{ end }} +PAPERLESS_DBPASS={{ with secret "/database/creds/paperless" }}{{ .Data.password }}{{ end }} _EOT destination = "secrets/.db.env" perms = 400 @@ -401,7 +401,7 @@ PAPERLESS_CONVERT_TMPDIR=/alloc/data PAPERLESS_CORS_ALLOWED_HOSTS=https://paperless.example.org PAPERLESS_ENABLE_COMPRESSION=false PAPERLESS_PROXY_SSL_HEADER='["HTTP_X_FORWARDED_PROTO", "https"]' -PAPERLESS_SECRET_KEY={{ with secret "kv/service/paperless" }}{{ .Data.data.secret_key }}{{ end }} +PAPERLESS_SECRET_KEY={{ with secret "/kv/service/paperless" }}{{ .Data.data.secret_key }}{{ end }} PAPERLESS_TRUSTED_PROXIES=127.0.0.1 PAPERLESS_URL=https://paperless.example.org PAPERLESS_USE_X_FORWARD_HOST=true @@ -417,8 +417,8 @@ _EOT data = <<_EOT PAPERLESS_DBHOST=127.0.0.1 PAPERLESS_DBPORT=5432 -PAPERLESS_DBUSER={{ with secret "database/creds/paperless" }}{{ .Data.username }}{{ end }} -PAPERLESS_DBPASS={{ with secret "database/creds/paperless" }}{{ .Data.password }}{{ end }} +PAPERLESS_DBUSER={{ with secret "/database/creds/paperless" }}{{ .Data.username }}{{ end }} +PAPERLESS_DBPASS={{ with secret "/database/creds/paperless" }}{{ .Data.password }}{{ end }} _EOT destination = "secrets/.db.env" perms = 400 diff --git a/example/prep.d/10-mv-conf.sh b/example/prep.d/10-mv-conf.sh deleted file mode 100755 index bc71788..0000000 --- a/example/prep.d/10-mv-conf.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh - -set -eu - - - -if [ "paperless" != "paperless" ]; then - for DIR in vault consul nomad; do - if [ -d output/${DIR} ]; then - for FILE in $(find output/${DIR} -name "*paperless*.hcl" -type f); do - NEW_FILE=$(echo "${FILE}" | sed -E "s/paperless/paperless/g") - mv "${FILE}" "${NEW_FILE}" - done - fi - done -fi - - - diff --git a/example/prep.d/10-rand-pwd.sh b/example/prep.d/10-rand-pwd.sh index a737cdc..9715c6b 100755 --- a/example/prep.d/10-rand-pwd.sh +++ b/example/prep.d/10-rand-pwd.sh @@ -2,16 +2,21 @@ set -euo pipefail -# Initialize random passwords if needed +# vim: syntax=sh + +export LC_ALL=C +VAULT_KV_PATH=/kv/service/paperless +RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50" +if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then + vault kv put ${VAULT_KV_PATH} \ + secret_key="$(sh -c "${RAND_CMD}")" \ -if ! vault kv list kv/service 2>/dev/null | grep -q -E '^paperless$'; then - vault kv put kv/service/paperless \ - secret_key=$(pwgen -s -n 50 1) fi - -for PWD in secret_key; do - if ! vault kv get -field ${PWD} kv/service/paperless >/dev/null 2>&1; then - vault kv patch kv/service/paperless \ - ${PWD}=$(pwgen -s -n 50 1) +for SECRET in secret_key; do + if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then + vault kv patch ${VAULT_KV_PATH} \ + ${SECRET}=$(sh -c "${RAND_CMD}") fi done + + diff --git a/example/vault/policies/paperless.hcl b/example/vault/policies/paperless.hcl index 83953ee..97a77cd 100644 --- a/example/vault/policies/paperless.hcl +++ b/example/vault/policies/paperless.hcl @@ -1,7 +1,7 @@ -path "kv/data/service/paperless" { +path "/kv/data/service/paperless" { capabilities = ["read"] } -path "database/creds/paperless" { +path "/database/creds/paperless" { capabilities = ["read"] } diff --git a/init/vault-database b/init/vault-database index a44f309..5d1ada6 100755 --- a/init/vault-database +++ b/init/vault-database @@ -2,7 +2,4 @@ set -euo pipefail -[[- template "common/vault.mkpgrole.sh" - dict "ctx" . - "config" (dict "role" .instance "database" "postgres") -]] +[[ template "common/vault.mkpgrole.sh" merge .paperless . ]] diff --git a/prep.d/10-mv-conf.sh b/prep.d/10-mv-conf.sh deleted file mode 100755 index 9bdf5c5..0000000 --- a/prep.d/10-mv-conf.sh +++ /dev/null @@ -1 +0,0 @@ -[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "paperless" .instance) ]] diff --git a/prep.d/10-rand-pwd.sh b/prep.d/10-rand-pwd.sh index eccbfbb..36cb5ea 100755 --- a/prep.d/10-rand-pwd.sh +++ b/prep.d/10-rand-pwd.sh @@ -2,16 +2,4 @@ set -euo pipefail -# Initialize random passwords if needed - -if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then - vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \ - secret_key=$(pwgen -s -n 50 1) -fi - -for PWD in secret_key; do - if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then - vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \ - ${PWD}=$(pwgen -s -n 50 1) - fi -done +[[ template "common/vault.rand_secrets" merge .paperless . ]] diff --git a/variables.yml b/variables.yml index 3fa0aa1..9663c1d 100644 --- a/variables.yml +++ b/variables.yml @@ -15,23 +15,19 @@ paperless: - destination_name: postgres[[ .consul.suffix ]] local_bind_port: 5432 - # Vault policies to add to the containers vault: + # Vault policies to add to the containers policies: - '[[ .instance ]][[ .consul.suffix ]]' - - # Parameters for the postgres database - postgres: - host: 127.0.0.1 - port: 5432 - database: '[[ .instance ]]' - user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}' - password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}' + # Random secrets to generate and store in vault KV + rand_secrets: + fields: + - secret_key # Env var to set in the containers # The ones here will be inherited by all containers env: - PAPERLESS_SECRET_KEY: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.secret_key }}{{ end }}' + PAPERLESS_SECRET_KEY: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.secret_key }}{{ end }}' PAPERLESS_CORS_ALLOWED_HOSTS: '[[ .paperless.webserver.public_url ]]' PAPERLESS_URL: '[[ .paperless.webserver.public_url ]]' PAPERLESS_CONVERT_TMPDIR: /alloc/data diff --git a/vault/policies/paperless.hcl b/vault/policies/paperless.hcl index 4ec71e1..4b45679 100644 --- a/vault/policies/paperless.hcl +++ b/vault/policies/paperless.hcl @@ -1,7 +1,7 @@ -path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" { +path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" { capabilities = ["read"] } -path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" { +path "[[ .vault.root ]]database/creds/[[ .instance ]]" { capabilities = ["read"] }