Compare commits
2 Commits
b1dd15548e
...
5f8a25a2a7
Author | SHA1 | Date |
---|---|---|
Daniel Berteaud | 5f8a25a2a7 | |
Daniel Berteaud | 014b6db6c1 |
|
@ -34,7 +34,7 @@ RUN set -euxo pipefail &&\
|
|||
mv web-vault / &&\
|
||||
chown -R root:root /web-vault
|
||||
|
||||
FROM danielberteaud/alpine:24.2-1
|
||||
FROM danielberteaud/alpine:24.3-1
|
||||
MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
|
||||
|
||||
ENV ROCKET_PROFILE=release \
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
set -euo pipefail
|
||||
|
||||
vault write /database/roles/vaultwarden \
|
||||
vault write database/roles/vaultwarden \
|
||||
db_name="postgres" \
|
||||
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
||||
GRANT \"vaultwarden\" TO \"{{name}}\"; \
|
||||
|
|
|
@ -5,7 +5,7 @@ set -euo pipefail
|
|||
# vim: syntax=sh
|
||||
|
||||
export LC_ALL=C
|
||||
VAULT_KV_PATH=/kv/service/vaultwarden
|
||||
VAULT_KV_PATH=kv/service/vaultwarden
|
||||
RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
|
||||
if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
|
||||
vault kv put ${VAULT_KV_PATH} \
|
|
@ -1,7 +1,7 @@
|
|||
path "/kv/data/service/vaultwarden" {
|
||||
path "kv/data/service/vaultwarden" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "/database/creds/vaultwarden" {
|
||||
path "database/creds/vaultwarden" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
|
|
@ -5,6 +5,8 @@ job "vaultwarden" {
|
|||
region = "global"
|
||||
|
||||
|
||||
|
||||
|
||||
group "vaultwarden" {
|
||||
count = 1
|
||||
|
||||
|
@ -104,7 +106,7 @@ job "vaultwarden" {
|
|||
user = 1053
|
||||
|
||||
config {
|
||||
image = "danielberteaud/wait-for:24.2-1"
|
||||
image = "danielberteaud/wait-for:24.3-1"
|
||||
readonly_rootfs = true
|
||||
pids_limit = 20
|
||||
}
|
||||
|
@ -147,6 +149,8 @@ job "vaultwarden" {
|
|||
}
|
||||
|
||||
|
||||
|
||||
|
||||
env {
|
||||
ROCKET_ADDRESS = "127.0.0.1"
|
||||
ROCKET_PORT = 8234
|
||||
|
@ -157,13 +161,15 @@ job "vaultwarden" {
|
|||
|
||||
template {
|
||||
data = <<_EOT
|
||||
DATABASE_URL=postgresql://{{ with secret "/database/creds/vaultwarden" }}{{ .Data.username }}{{ end }}:{{ with secret "/database/creds/vaultwarden" }}{{ urlquery .Data.password }}{{ end }}@127.0.0.1:5432/vaultwarden]
|
||||
DATABASE_URL=postgresql://{{ with secret "database/creds/vaultwarden" }}{{ .Data.username }}{{ end }}:{{ with secret "database/creds/vaultwarden" }}{{ urlquery .Data.password }}{{ end }}@127.0.0.1:5432/vaultwarden]
|
||||
_EOT
|
||||
destination = "secrets/.db.env"
|
||||
perms = 400
|
||||
env = true
|
||||
}
|
||||
|
||||
|
||||
|
||||
# Use a template block instead of env {} so we can fetch values from vault
|
||||
template {
|
||||
data = <<_EOT
|
||||
|
|
|
@ -52,6 +52,7 @@ job "[[ .instance ]]" {
|
|||
}
|
||||
|
||||
[[ template "common/vault.policies" $c ]]
|
||||
[[ template "common/artifacts" $c ]]
|
||||
|
||||
env {
|
||||
ROCKET_ADDRESS = "127.0.0.1"
|
||||
|
|
Loading…
Reference in New Issue