From e59274311259e4a26e106589ae7520e67a4d5e51 Mon Sep 17 00:00:00 2001 From: Rafael Oliveira Date: Sat, 21 Sep 2024 17:23:25 +0200 Subject: [PATCH] add vaultwarden job on new host artemis --- .github/workflows/tofu-apply.yml | 3 +- .github/workflows/tofu-plan.yml | 3 +- aws-ses.tf | 15 ++++++++ hosts.tf | 1 + hosts/artemis.nix | 22 +++++++++++ jobs/vaultwarden.nomad.hcl | 66 ++++++++++++++++++++++++++++++++ modules/addresses.nix | 1 + nomad.tf | 24 ++++++++++++ profiles/traefik.nix | 1 + 9 files changed, 134 insertions(+), 2 deletions(-) create mode 100644 hosts/artemis.nix create mode 100644 jobs/vaultwarden.nomad.hcl diff --git a/.github/workflows/tofu-apply.yml b/.github/workflows/tofu-apply.yml index 8129360..80fc8a1 100644 --- a/.github/workflows/tofu-apply.yml +++ b/.github/workflows/tofu-apply.yml @@ -49,6 +49,7 @@ jobs: with: label: dsekt-infra variables: | + ssh_user = "${{ vars.TF_SSH_USER }}" hcloud_token = "${{ secrets.TF_HCLOUD_TOKEN }}" cloudflare_api_token = "${{ secrets.TF_CLOUDFLARE_TOKEN }}" - ssh_user = "${{ vars.TF_SSH_USER }}" + vault_db_password = "${{ secrets.TF_VAULT_DB_PASSWORD }}" diff --git a/.github/workflows/tofu-plan.yml b/.github/workflows/tofu-plan.yml index 375a70d..05c8f57 100644 --- a/.github/workflows/tofu-plan.yml +++ b/.github/workflows/tofu-plan.yml @@ -42,6 +42,7 @@ jobs: with: label: dsekt-infra variables: | + ssh_user = "${{ vars.TF_SSH_USER }}" hcloud_token = "${{ secrets.TF_HCLOUD_TOKEN }}" cloudflare_api_token = "${{ secrets.TF_CLOUDFLARE_TOKEN }}" - ssh_user = "${{ vars.TF_SSH_USER }}" + vault_db_password = "${{ secrets.TF_VAULT_DB_PASSWORD }}" diff --git a/aws-ses.tf b/aws-ses.tf index c424765..0f79de0 100644 --- a/aws-ses.tf +++ b/aws-ses.tf @@ -68,3 +68,18 @@ resource "aws_iam_user_policy_attachment" "mattermost_smtp" { user = aws_iam_user.mattermost_smtp.name policy_arn = aws_iam_policy.send_email.arn } + +# Vaultwarden + +resource "aws_iam_user" "vaultwarden_smtp" { + name = "vaultwarden_smtp" +} + +resource "aws_iam_access_key" "vaultwarden_smtp" { + user = aws_iam_user.vaultwarden_smtp.name +} + +resource "aws_iam_user_policy_attachment" "vaultwarden_smtp" { + user = aws_iam_user.vaultwarden_smtp.name + policy_arn = aws_iam_policy.send_email.arn +} diff --git a/hosts.tf b/hosts.tf index a636b8a..2c95db7 100644 --- a/hosts.tf +++ b/hosts.tf @@ -5,6 +5,7 @@ locals { poseidon = { role = "server", private_ip_addr = "10.83.0.3", server_type = "cx22" } hades = { role = "server", private_ip_addr = "10.83.0.4", server_type = "cx22" } ares = { role = "client", private_ip_addr = "10.83.0.5", server_type = "cx21" } + artemis = { role = "client", private_ip_addr = "10.83.0.6", server_type = "cx22" } } } diff --git a/hosts/artemis.nix b/hosts/artemis.nix new file mode 100644 index 0000000..1c0571f --- /dev/null +++ b/hosts/artemis.nix @@ -0,0 +1,22 @@ +{ profiles, ... }: +{ + imports = with profiles; [ + hetzner-cloud + base + nomad.client + ]; + + services.nomad.settings.client.host_volume = { + "vault/data" = { + path = "/var/lib/nomad-volumes/vault/data"; + }; + }; + + systemd.tmpfiles.rules = [ + "d /var/lib/nomad-volumes 0500 0 0" + "d /var/lib/nomad-volumes/vault/data 0700 0 0" # vaultwarden runs as root + ]; + + # Change this if you want to lose all data on this machine! + system.stateVersion = "24.05"; +} diff --git a/jobs/vaultwarden.nomad.hcl b/jobs/vaultwarden.nomad.hcl new file mode 100644 index 0000000..baec2d9 --- /dev/null +++ b/jobs/vaultwarden.nomad.hcl @@ -0,0 +1,66 @@ +variable "domain_name" { + type = string + default = "vault.datasektionen.se" +} + +job "vault" { + namespace = "vault" + + group "vault" { + network { + port "http" { } + } + + service { + name = "vault" + port = "http" + provider = "nomad" + tags = [ + "traefik.enable=true", + "traefik.http.routers.vault.rule=Host(`${var.domain_name}`)", + "traefik.http.routers.vault.tls.certresolver=default", + ] + } + + volume "data" { + type = "host" + source = "vault/data" + } + + task "vault" { + driver = "docker" + + config { + image = "vaultwarden/server:1.32.0-alpine" + ports = ["http"] + } + + template { + data = <