othrayte/infra
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Move nomad var secrets to secrets.enc.json

Browse Source
This commit is contained in:
Adrian Cowan
2025-05-18 23:44:24 +10:00
parent d2279028be
commit 3ab392b50b
6 changed files with 33 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
2-nomad-config/1-infra.tf
View File

@@ -33,6 +33,15 @@ resource "nomad_job" "authelia" {
jobspec = file("authelia.nomad.hcl") jobspec = file("authelia.nomad.hcl")
} }
resource "nomad_variable" "authelia" {
path = "nomad/jobs/authelia"
items = {
session_secret = data.sops_file.secrets.data["authelia.session_secret"]
jwt_secret = data.sops_file.secrets.data["authelia.jwt_secret"]
encryption_key = data.sops_file.secrets.data["authelia.encryption_key"]
}
}
// Data // Data
resource "nomad_job" "csi-smb" { resource "nomad_job" "csi-smb" {
@@ -56,6 +65,13 @@ resource "nomad_job" "pgbackup" {
jobspec = file("pgbackup.nomad.hcl") jobspec = file("pgbackup.nomad.hcl")
} }
resource "nomad_variable" "postgres" {
path = "nomad/jobs/postgres"
items = {
postgres_password = data.sops_file.secrets.data["postgres.postgres"]
}
}
resource "nomad_csi_volume_registration" "unraid_database_dump" { resource "nomad_csi_volume_registration" "unraid_database_dump" {
#Note: Before chaning the definition of this volume you need to stop the jobs that are using it #Note: Before chaning the definition of this volume you need to stop the jobs that are using it
depends_on = [data.nomad_plugin.smb] depends_on = [data.nomad_plugin.smb]

2
2-nomad-config/pgadmin.nomad.hcl
View File

@@ -86,7 +86,7 @@ EOF
template { template {
data = <<EOF data = <<EOF
localhost:5432:*:postgres:{{ with nomadVar "nomad/jobs/postgres" }}{{ .postgress_password }}{{ end }} localhost:5432:*:postgres:{{ with nomadVar "nomad/jobs/postgres" }}{{ .postgres_password }}{{ end }}
EOF EOF
destination = "secrets/.pgpass" destination = "secrets/.pgpass"
perms = "0400" perms = "0400"

2
2-nomad-config/pgbackup.nomad.hcl
View File

@@ -45,7 +45,7 @@ job "pgbackup" {
template { template {
data = <<EOF data = <<EOF
localhost:5432:*:postgres:{{ with nomadVar "nomad/jobs/postgres" }}{{ .postgress_password }}{{ end }} localhost:5432:*:postgres:{{ with nomadVar "nomad/jobs/postgres" }}{{ .postgres_password }}{{ end }}
EOF EOF
destination = "/secrets/postgres_password" destination = "/secrets/postgres_password"
perms = "0400" perms = "0400"

2
2-nomad-config/postgres.nomad.hcl
View File

@@ -42,7 +42,7 @@ job "postgres" {
# This securely sets the initial password for the postgres user, to change it later # This securely sets the initial password for the postgres user, to change it later
# you need to connect to the database and change it manually # you need to connect to the database and change it manually
data = <<EOF data = <<EOF
{{ with nomadVar "nomad/jobs/postgres" }}{{ .postgress_password }}{{ end }} {{ with nomadVar "nomad/jobs/postgres" }}{{ .postgres_password }}{{ end }}
EOF EOF
destination = "secrets/postgres_password" destination = "secrets/postgres_password"
} }

4
2-nomad-config/readme.md
View File

@@ -8,3 +8,7 @@ Mount the state on the fileshare to 2-nomad-config/.tfstate/
The secrets file is encrypted using sops and will be automatically decrypted in the terraform provider. The secrets file is encrypted using sops and will be automatically decrypted in the terraform provider.
Put the age keys in /home/<user>/.config/sops/age/keys.txt Put the age keys in /home/<user>/.config/sops/age/keys.txt
## Adding Secrets
Edit the secrets using `sops secrets.enc.json`

12
2-nomad-config/secrets.enc.json
View File

@@ -2,6 +2,14 @@
"unraid": { "unraid": {
"nomad": "ENC[AES256_GCM,data:FCGEs+XCSuunLxVPyzE=,iv:j8Ey+l8iJiPY7CbE5IoT0ZgNklnv+4odSZkorJQ/nr8=,tag:7PoizENid+vgWC/eb5MOaQ==,type:str]" "nomad": "ENC[AES256_GCM,data:FCGEs+XCSuunLxVPyzE=,iv:j8Ey+l8iJiPY7CbE5IoT0ZgNklnv+4odSZkorJQ/nr8=,tag:7PoizENid+vgWC/eb5MOaQ==,type:str]"
}, },
"authelia": {
"session_secret": "ENC[AES256_GCM,data:gPVSGzU00EjuW/NDD9bpsc+4DQ==,iv:IRzSKqfv2Quaj1bzrFaK0glCKEPrle+uI8fq/1HFi60=,tag:loiTEpEBGBwQETRWpOffNg==,type:str]",
"jwt_secret": "ENC[AES256_GCM,data:7Q/0M5IY0vLsgCE0z78L,iv:f6GymDrq2/NlKJuMNnDDmG2GUAzhonNa8LXlr0x1elw=,tag:1ITT9WmD3UOP30AjYEkLJQ==,type:str]",
"encryption_key": "ENC[AES256_GCM,data:wT7aYD2DIu4VQa3GTmlkBFBvtoPvlgUF/fYJo9+wQhRcywY=,iv:29pIf46S9+OVWgSNyuwOaOXD2bWTmdcLzMLQ06VywZQ=,tag:n9JkIbHCB2xFfJ7MHcUKvg==,type:str]"
},
"postgres": {
"postgres": "ENC[AES256_GCM,data:lKuLcVTuUbfrlVhRdCs=,iv:TsbtAbXYTysxuiCi08F0hJsgoolzzgE2EPdFdPMQ+NQ=,tag:9oNua06hHdeCzE7nB22c0g==,type:str]"
},
"sops": { "sops": {
"age": [ "age": [
{ {
@@ -9,8 +17,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2025-05-05T13:24:20Z", "lastmodified": "2025-05-18T13:38:16Z",
"mac": "ENC[AES256_GCM,data:MN1Ulrs7UvfR2/7F43cZbsme00SSOXBP11TEwELQ9y0NZ87EjNozn6WtUGRDShb2cD6p/jpQfPQqO4A7gJCtKsAAFMggIWEATxYCfMcJoD8evpxZcmNAv3b6GkNRT1u1WNecYAXJUqtR9+wKBRCYRcY3rIxpuCmvcMNEABaaxWs=,iv:2H0UxqAo4En0i+9NVGxqJZSB2vCyb8wuWRQ5h2637U0=,tag:iLTYCMCqZK8CiZczU69W+Q==,type:str]", "mac": "ENC[AES256_GCM,data:9rGE16ZuAOQZN/h+qYx/RHHAlU3BewKvBWQFIRqIRwPT5mKfu1mwzWSZPGU7EnLWIVvX+iPUltf7RkZOBPzE90w7kcXBTxsA+hKNZKTa2Bz4/95UKX2BBR/J6t6Leayb+W8hKwQ9QF+UTXh2GOwx4yIvQXVPDxr7D9Hwzz9yDYY=,iv:9tBdheTDN3XrRbL+V6K5HBvhuvLkZ7Vn/bGpBkh+hGg=,tag:gCd6TJAOf1+gITaKzxQA7Q==,type:str]",
"encrypted_regex": "^(.*)$", "encrypted_regex": "^(.*)$",
"version": "3.10.2" "version": "3.10.2"
} }