tech/sendico
2
0
Fork 0
Code Issues 31 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

added missing files

Browse Source
This commit is contained in:
Arseni
2026-03-10 21:45:41 +03:00
parent 7ae4518926
commit 049b23516a
22 changed files with 221 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
infra/gitea/vault/agent.hcl Normal file
View File

@@ -0,0 +1,35 @@
auto_auth {
method "approle" {
mount_path = "auth/approle"
config = {
role_id_file_path = "/vault/secrets/role_id"
secret_id_file_path = "/vault/secrets/secret_id"
}
}
sink "file" { config = { path = "/vault/.token" } }
}
template {
source = "/etc/vault/templates/gitea_db_pass.ctmpl"
destination = "/vault/secrets/gitea_db_pass"
}
template {
source = "/etc/vault/templates/minio_access_key.ctmpl"
destination = "/vault/secrets/minio_access_key"
}
template {
source = "/etc/vault/templates/minio_secret_key.ctmpl"
destination = "/vault/secrets/minio_secret_key"
}
template {
source = "/etc/vault/templates/mail_account.ctmpl"
destination = "/vault/secrets/mail_account"
}
template {
source = "/etc/vault/templates/mail_secret.ctmpl"
destination = "/vault/secrets/mail_secret"
}

1
infra/gitea/vault/templates/gitea_db_pass.ctmpl Normal file
View File

@@ -0,0 +1 @@
{{ with secret "kv/data/cicd/gitea" }}{{ .Data.data.gitea_db_pass }}{{- end -}}

1
infra/gitea/vault/templates/mail_account.ctmpl Normal file
View File

@@ -0,0 +1 @@
{{ with secret "kv/data/cicd/gitea" }}{{ .Data.data.mail_account }}{{- end -}}

1
infra/gitea/vault/templates/mail_secret.ctmpl Normal file
View File

@@ -0,0 +1 @@
{{ with secret "kv/data/cicd/gitea" }}{{ .Data.data.mail_secret }}{{- end -}}

1
infra/gitea/vault/templates/minio_access_key.ctmpl Normal file
View File

@@ -0,0 +1 @@
{{ with secret "kv/data/s3/gitea" }}{{ .Data.data.access_key_id }}{{- end -}}

1
infra/gitea/vault/templates/minio_secret_key.ctmpl Normal file
View File

@@ -0,0 +1 @@
{{ with secret "kv/data/s3/gitea" }}{{ .Data.data.secret_access_key }}{{- end -}}

31
infra/monitoring/vault-agent/agent.hcl Normal file
View File

@@ -0,0 +1,31 @@
exit_after_auth = false
pid_file = "/tmp/vault-agent.pid"
vault {
address = "http://vault:8200"
}
auto_auth {
method "approle" {
mount_path = "auth/approle"
config = {
role_id_file_path = "/etc/vault/role_id"
secret_id_file_path = "/etc/vault/secret_id"
remove_secret_id_file_after_reading = false
}
}
sink "file" { config = { path = "/vault/secrets/.vault-token" } }
}
template {
source = "/etc/vault/templates/grafana.env.ctmpl"
destination = "/vault/secrets/grafana.env"
perms = "0644"
command = "chown 472:472 /vault/secrets/grafana.env"
}
template {
source = "/etc/vault/templates/alertmanager.yml.ctmpl"
destination = "/vault/alertmanager/alertmanager.yml"
perms = "0644"
}

18
infra/monitoring/vault-agent/templates/alertmanager.yml.ctmpl Normal file
View File

@@ -0,0 +1,18 @@
route:
receiver: 'telegram'
group_by: ['alertname', 'instance']
group_wait: 30s
group_interval: 5m
repeat_interval: 3h
receivers:
- name: 'telegram'
telegram_configs:
- bot_token: '{{ with secret "kv/data/monitoring/telegram" }}{{ .Data.data.token }}{{ end }}'
chat_id: {{ with secret "kv/data/monitoring/telegram" }}{{ .Data.data.admin_chat_id }}{{ end }} # put your numeric chat id here, or also render from Vault if you want
message: |
🚨 *{{ "{{ .Status | toUpper }}" }}* — {{ "{{ .CommonLabels.alertname }}" }}
*Instance:* {{ "{{ .CommonLabels.instance }}" }}
*Summary:* {{ "{{ .CommonAnnotations.summary }}" }}
*Description:* {{ "{{ .CommonAnnotations.description }}" }}
parse_mode: 'Markdown'

4
infra/monitoring/vault-agent/templates/grafana.env.ctmpl Normal file
View File

@@ -0,0 +1,4 @@
GF_SECURITY_ADMIN_USER="{{ with secret "kv/data/monitoring/grafana" }}{{ .Data.data.username }}{{ end }}"
GF_SECURITY_ADMIN_PASSWORD="{{ with secret "kv/data/monitoring/grafana" }}{{ .Data.data.password }}{{ end }}"
GF_AUTH_ANONYMOUS_ENABLED="false"
GF_USERS_ALLOW_SIGN_UP="false"

22
infra/registry/vault/agent.hcl Normal file
View File

@@ -0,0 +1,22 @@
auto_auth {
method "approle" {
mount_path = "auth/approle"
config = {
role_id_file_path = "/vault/secrets/role_id"
secret_id_file_path = "/vault/secrets/secret_id"
}
}
sink "file" { config = { path = "/vault/.token" } }
}
template {
source = "/etc/vault/templates/htpasswd.ctmpl"
destination = "/vault/secrets/htpasswd"
perms = "0440"
}
template {
source = "/etc/vault/templates/s3.env.ctmpl"
destination = "/vault/secrets/env"
perms = "0440"
}

3
infra/registry/vault/templates/htpasswd.ctmpl Normal file
View File

@@ -0,0 +1,3 @@
{{- with secret "kv/data/registry" -}}
{{ .Data.data.htpasswd }}
{{- end -}}

8
infra/registry/vault/templates/s3.env.ctmpl Normal file
View File

@@ -0,0 +1,8 @@
{{- with secret "kv/data/s3/registry" -}}
REGISTRY_STORAGE_S3_ACCESSKEY={{ .Data.data.access_key_id }}
REGISTRY_STORAGE_S3_SECRETKEY="{{ .Data.data.secret_access_key }}"
{{ end }}
{{- with secret "kv/data/registry" -}}
REGISTRY_HTTP_SECRET="{{ .Data.data.http_secret }}"
{{ end }}

10
infra/s3/minio-entrypoint.sh Normal file
View File

@@ -0,0 +1,10 @@
#!/bin/sh
set -e
echo "Waiting for Vault Agent to render /vault/secrets/minio.env..."
while [ ! -f /vault/secrets/minio.env ]; do
sleep 0.5
done
echo "Vault secrets ready, starting MinIO..."
exec minio "$@"

6
infra/s3/minio-wait.sh Normal file
View File

@@ -0,0 +1,6 @@
#!/bin/sh
set -eu
until [ -s /vault/secrets/MINIO_ROOT_USER ] && [ -s /vault/secrets/MINIO_ROOT_PASSWORD ]; do
echo "waiting for MINIO creds"; sleep 1
done
exec /usr/bin/minio "$@"

29
infra/s3/vault/agent.hcl Normal file
View File

@@ -0,0 +1,29 @@
auto_auth {
method "approle" {
mount_path = "auth/approle"
config = {
role_id_file_path = "/vault/secrets/role_id"
secret_id_file_path = "/vault/secrets/secret_id"
}
}
sink "file" {
config = { path = "/vault/token" }
}
}
template {
source = "/etc/vault/templates/user.ctmpl"
destination = "/vault/secrets/MINIO_ROOT_USER"
perms = "0440"
}
template {
source = "/etc/vault/templates/password.ctmpl"
destination = "/vault/secrets/MINIO_ROOT_PASSWORD"
perms = "0440"
}
vault {
address = "http://vault_vault:8200"
}

1
infra/s3/vault/templates/password.ctmpl Normal file
View File

@@ -0,0 +1 @@
{{ with secret "kv/data/s3/minio" }}{{ .Data.data.password }}{{ end }}

1
infra/s3/vault/templates/user.ctmpl Normal file
View File

@@ -0,0 +1 @@
{{ with secret "kv/data/s3/minio" }}{{ .Data.data.user }}{{ end }}

38
infra/woodpecker/vault/agent.hcl Normal file
View File

@@ -0,0 +1,38 @@
exit_after_auth = false
pid_file = "/vault/secrets/vault-agent.pid"
auto_auth {
method "approle" {
mount_path = "auth/approle"
config = {
role_id_file_path = "/vault/secrets/role_id"
secret_id_file_path = "/vault/secrets/secret_id"
}
}
sink "file" { config = { path = "/vault/secrets/.vault-token" } }
}
# Render secrets to lowercase files
template {
source = "/etc/vault/templates/agent_secret.ctmpl"
destination = "/vault/secrets/agent_secret"
perms = "0440"
}
template {
source = "/etc/vault/templates/gitea_client_id.ctmpl"
destination = "/vault/secrets/gitea_client_id"
perms = "0440"
}
template {
source = "/etc/vault/templates/gitea_client_secret.ctmpl"
destination = "/vault/secrets/gitea_client_secret"
perms = "0440"
}
template {
source = "/etc/vault/templates/pg_dsn.ctmpl"
destination = "/vault/secrets/pg_dsn"
perms = "0644"
}

3
infra/woodpecker/vault/templates/agent_secret.ctmpl Normal file
View File

@@ -0,0 +1,3 @@
{{ with secret "kv/data/cicd/woodpecker/agent" -}}
{{ .Data.data.secret }}
{{- end }}

3
infra/woodpecker/vault/templates/gitea_client_id.ctmpl Normal file
View File

@@ -0,0 +1,3 @@
{{ with secret "kv/data/cicd/woodpecker" -}}
{{ .Data.data.gitea_client_id }}
{{- end }}

3
infra/woodpecker/vault/templates/gitea_client_secret.ctmpl Normal file
View File

@@ -0,0 +1,3 @@
{{ with secret "kv/data/cicd/woodpecker" -}}
{{ .Data.data.gitea_client_secret }}
{{- end }}

1
infra/woodpecker/vault/templates/pg_dsn.ctmpl Normal file
View File

@@ -0,0 +1 @@
{{- with secret "kv/data/cicd/woodpecker" -}}{{ .Data.data.pg_dsn }}{{- end -}}