From 3ab392b50b5bd818669b01305e13e64ed0bdab7c Mon Sep 17 00:00:00 2001
From: Adrian Cowan <othrayte@gmail.com>
Date: Sun, 18 May 2025 23:44:24 +1000
Subject: [PATCH] Move nomad var secrets to secrets.enc.json

---
 2-nomad-config/1-infra.tf         | 16 ++++++++++++++++
 2-nomad-config/pgadmin.nomad.hcl  |  2 +-
 2-nomad-config/pgbackup.nomad.hcl |  2 +-
 2-nomad-config/postgres.nomad.hcl |  2 +-
 2-nomad-config/readme.md          |  4 ++++
 2-nomad-config/secrets.enc.json   | 12 ++++++++++--
 6 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/2-nomad-config/1-infra.tf b/2-nomad-config/1-infra.tf
index 3bf8818..d16696a 100644
--- a/2-nomad-config/1-infra.tf
+++ b/2-nomad-config/1-infra.tf
@@ -33,6 +33,15 @@ resource "nomad_job" "authelia" {
   jobspec = file("authelia.nomad.hcl")
 }
 
+resource "nomad_variable" "authelia" {
+  path = "nomad/jobs/authelia"
+  items = {
+    session_secret = data.sops_file.secrets.data["authelia.session_secret"]
+    jwt_secret     = data.sops_file.secrets.data["authelia.jwt_secret"]
+    encryption_key = data.sops_file.secrets.data["authelia.encryption_key"]
+  }
+}
+
 // Data
 
 resource "nomad_job" "csi-smb" {
@@ -56,6 +65,13 @@ resource "nomad_job" "pgbackup" {
   jobspec = file("pgbackup.nomad.hcl")
 }
 
+resource "nomad_variable" "postgres" {
+  path = "nomad/jobs/postgres"
+  items = {
+    postgres_password = data.sops_file.secrets.data["postgres.postgres"]
+  }
+}
+
 resource "nomad_csi_volume_registration" "unraid_database_dump" {
   #Note: Before chaning the definition of this volume you need to stop the jobs that are using it
   depends_on = [data.nomad_plugin.smb]
diff --git a/2-nomad-config/pgadmin.nomad.hcl b/2-nomad-config/pgadmin.nomad.hcl
index c315154..7cb4854 100644
--- a/2-nomad-config/pgadmin.nomad.hcl
+++ b/2-nomad-config/pgadmin.nomad.hcl
@@ -86,7 +86,7 @@ EOF
 
       template {
         data        = <<EOF
-localhost:5432:*:postgres:{{ with nomadVar "nomad/jobs/postgres" }}{{ .postgress_password }}{{ end }}
+localhost:5432:*:postgres:{{ with nomadVar "nomad/jobs/postgres" }}{{ .postgres_password }}{{ end }}
 EOF
         destination = "secrets/.pgpass"
         perms       = "0400"
diff --git a/2-nomad-config/pgbackup.nomad.hcl b/2-nomad-config/pgbackup.nomad.hcl
index ee97cab..019474d 100644
--- a/2-nomad-config/pgbackup.nomad.hcl
+++ b/2-nomad-config/pgbackup.nomad.hcl
@@ -45,7 +45,7 @@ job "pgbackup" {
 
       template {
         data        = <<EOF
-localhost:5432:*:postgres:{{ with nomadVar "nomad/jobs/postgres" }}{{ .postgress_password }}{{ end }}
+localhost:5432:*:postgres:{{ with nomadVar "nomad/jobs/postgres" }}{{ .postgres_password }}{{ end }}
 EOF
         destination = "/secrets/postgres_password"
         perms       = "0400"
diff --git a/2-nomad-config/postgres.nomad.hcl b/2-nomad-config/postgres.nomad.hcl
index 4e6bb24..ba259a8 100644
--- a/2-nomad-config/postgres.nomad.hcl
+++ b/2-nomad-config/postgres.nomad.hcl
@@ -42,7 +42,7 @@ job "postgres" {
         # This securely sets the initial password for the postgres user, to change it later
         # you need to connect to the database and change it manually
         data        = <<EOF
-{{ with nomadVar "nomad/jobs/postgres" }}{{ .postgress_password }}{{ end }}
+{{ with nomadVar "nomad/jobs/postgres" }}{{ .postgres_password }}{{ end }}
 EOF
         destination = "secrets/postgres_password"
       }
diff --git a/2-nomad-config/readme.md b/2-nomad-config/readme.md
index ac07907..011a7d2 100644
--- a/2-nomad-config/readme.md
+++ b/2-nomad-config/readme.md
@@ -8,3 +8,7 @@ Mount the state on the fileshare to 2-nomad-config/.tfstate/
 The secrets file is encrypted using sops and will be automatically decrypted in the terraform provider.
 
 Put the age keys in /home/<user>/.config/sops/age/keys.txt
+
+## Adding Secrets
+
+Edit the secrets using `sops secrets.enc.json`
diff --git a/2-nomad-config/secrets.enc.json b/2-nomad-config/secrets.enc.json
index c6e34ae..cff8584 100644
--- a/2-nomad-config/secrets.enc.json
+++ b/2-nomad-config/secrets.enc.json
@@ -2,6 +2,14 @@
 	"unraid": {
 		"nomad": "ENC[AES256_GCM,data:FCGEs+XCSuunLxVPyzE=,iv:j8Ey+l8iJiPY7CbE5IoT0ZgNklnv+4odSZkorJQ/nr8=,tag:7PoizENid+vgWC/eb5MOaQ==,type:str]"
 	},
+	"authelia": {
+		"session_secret": "ENC[AES256_GCM,data:gPVSGzU00EjuW/NDD9bpsc+4DQ==,iv:IRzSKqfv2Quaj1bzrFaK0glCKEPrle+uI8fq/1HFi60=,tag:loiTEpEBGBwQETRWpOffNg==,type:str]",
+		"jwt_secret": "ENC[AES256_GCM,data:7Q/0M5IY0vLsgCE0z78L,iv:f6GymDrq2/NlKJuMNnDDmG2GUAzhonNa8LXlr0x1elw=,tag:1ITT9WmD3UOP30AjYEkLJQ==,type:str]",
+		"encryption_key": "ENC[AES256_GCM,data:wT7aYD2DIu4VQa3GTmlkBFBvtoPvlgUF/fYJo9+wQhRcywY=,iv:29pIf46S9+OVWgSNyuwOaOXD2bWTmdcLzMLQ06VywZQ=,tag:n9JkIbHCB2xFfJ7MHcUKvg==,type:str]"
+	},
+	"postgres": {
+		"postgres": "ENC[AES256_GCM,data:lKuLcVTuUbfrlVhRdCs=,iv:TsbtAbXYTysxuiCi08F0hJsgoolzzgE2EPdFdPMQ+NQ=,tag:9oNua06hHdeCzE7nB22c0g==,type:str]"
+	},
 	"sops": {
 		"age": [
 			{
@@ -9,8 +17,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-05-05T13:24:20Z",
-		"mac": "ENC[AES256_GCM,data:MN1Ulrs7UvfR2/7F43cZbsme00SSOXBP11TEwELQ9y0NZ87EjNozn6WtUGRDShb2cD6p/jpQfPQqO4A7gJCtKsAAFMggIWEATxYCfMcJoD8evpxZcmNAv3b6GkNRT1u1WNecYAXJUqtR9+wKBRCYRcY3rIxpuCmvcMNEABaaxWs=,iv:2H0UxqAo4En0i+9NVGxqJZSB2vCyb8wuWRQ5h2637U0=,tag:iLTYCMCqZK8CiZczU69W+Q==,type:str]",
+		"lastmodified": "2025-05-18T13:38:16Z",
+		"mac": "ENC[AES256_GCM,data:9rGE16ZuAOQZN/h+qYx/RHHAlU3BewKvBWQFIRqIRwPT5mKfu1mwzWSZPGU7EnLWIVvX+iPUltf7RkZOBPzE90w7kcXBTxsA+hKNZKTa2Bz4/95UKX2BBR/J6t6Leayb+W8hKwQ9QF+UTXh2GOwx4yIvQXVPDxr7D9Hwzz9yDYY=,iv:9tBdheTDN3XrRbL+V6K5HBvhuvLkZ7Vn/bGpBkh+hGg=,tag:gCd6TJAOf1+gITaKzxQA7Q==,type:str]",
 		"encrypted_regex": "^(.*)$",
 		"version": "3.10.2"
 	}