Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F3767174
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
10 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/roles/vault/policies/files/admin.hcl b/roles/vault/policies/files/admin.hcl
index b3e96b4..3c8439b 100644
--- a/roles/vault/policies/files/admin.hcl
+++ b/roles/vault/policies/files/admin.hcl
@@ -1,94 +1,94 @@
# -------------------------------------------------------------
# Vault configuration - Policy for Nasqueron Ops SIG beings
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
-# Source file: roles/vault/vault/files/admin.hcl
+# Source file: s/roles/vault/policies/files/admin.hcl
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Health check
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "sys/health" {
capabilities = ["read", "sudo"]
}
# -------------------------------------------------------------
# Policies management
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "sys/policies/acl" {
capabilities = ["list"]
}
path "sys/policies/acl/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# -------------------------------------------------------------
# Authentication management
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "auth/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/auth/*" {
capabilities = ["create", "update", "delete", "sudo"]
}
path "sys/auth" {
capabilities = ["read"]
}
# -------------------------------------------------------------
# Secrets management
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "sys/mounts" {
capabilities = ["read"]
}
path "sys/mounts/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "apps/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "ops/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# -------------------------------------------------------------
# PKI
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "pki_root/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "pki_vault/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# -------------------------------------------------------------
# Transit
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "transit/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "transit/keys/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
diff --git a/roles/vault/policies/files/airflow.hcl b/roles/vault/policies/files/airflow.hcl
index a1ed27a..aaa47b2 100644
--- a/roles/vault/policies/files/airflow.hcl
+++ b/roles/vault/policies/files/airflow.hcl
@@ -1,20 +1,20 @@
# -------------------------------------------------------------
# Vault configuration - Policy for Apache Airflow
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
-# Source file: roles/vault/vault/files/airflow.hcl
+# Source file: s/roles/vault/policies/files/airflow.hcl
#
# Airflow realm: nasqueron
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
path "apps/data/airflow/*" {
capabilities = [ "read" ]
}
diff --git a/roles/vault/policies/files/salt-primary.hcl b/roles/vault/policies/files/salt-primary.hcl
index 299886c..6cb2b3c 100644
--- a/roles/vault/policies/files/salt-primary.hcl
+++ b/roles/vault/policies/files/salt-primary.hcl
@@ -1,88 +1,88 @@
# -------------------------------------------------------------
# Vault configuration - Policy for salt primary server
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
-# Source file: roles/vault/vault/files/salt_primary.hcl
+# Source file: s/roles/vault/policies/files/salt_primary.hcl
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Policies management
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "sys/policies/acl" {
capabilities = ["list"]
}
path "sys/policies/acl/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/policy" {
capabilities = ["list"]
}
path "sys/policy/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# -------------------------------------------------------------
# Tokens management
#
# :: Create, check, revoke tokens to be used by nodes through Salt
# :: Manage and renew own token
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "auth/token/create/salt-node-*" {
capabilities = ["update"]
}
path "auth/token/roles/salt-node-*" {
capabilities = ["read"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}
path "auth/token/renew-self" {
capabilities = ["update"]
}
path "auth/token/lookup" {
capabilities = ["update"]
}
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}
path "sys/capabilities-self" {
capabilities = ["update"]
}
path "transit/keys/*"{
capabilities = ["create"]
}
# -------------------------------------------------------------
# RabbitMQ credentials
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for cluster, cluster_args in pillar.get("rabbitmq_clusters", {}).items() %}
# Cluster: {{ cluster }}
{% for user, credential in cluster_args.get("users", {}).items() %}
path "{{ credential.replace("/", "/data/", 1) }}" {
capabilities = [ "read" ]
}
{% endfor %}
{% endfor %}
diff --git a/roles/vault/policies/files/sentry.hcl b/roles/vault/policies/files/sentry.hcl
index 6355ea5..7d84a6a 100644
--- a/roles/vault/policies/files/sentry.hcl
+++ b/roles/vault/policies/files/sentry.hcl
@@ -1,26 +1,26 @@
# -------------------------------------------------------------
# Vault configuration - Policy for Sentry
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
-# Source file: roles/vault/vault/files/sentry.hcl
+# Source file: s/roles/vault/policies/files/sentry.hcl
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
path "apps/data/sentry/github" {
capabilities = [ "read" ]
}
path "ops/data/secrets/nasqueron/sentry/app_key" {
capabilities = [ "read" ]
}
path "ops/data/secrets/nasqueron/sentry/postgresql" {
capabilities = [ "read" ]
}
diff --git a/roles/vault/policies/files/vault_bootstrap.hcl b/roles/vault/policies/files/vault_bootstrap.hcl
index cca39d2..02cf537 100644
--- a/roles/vault/policies/files/vault_bootstrap.hcl
+++ b/roles/vault/policies/files/vault_bootstrap.hcl
@@ -1,34 +1,34 @@
# -------------------------------------------------------------
# Vault configuration - Policy to run DRP bootstrap script
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
-# Source file: roles/vault/vault/files/vault_boostrap.hcl
+# Source file: s/roles/vault/policies/files/vault_boostrap.hcl
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Secrets engine management
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "sys/mounts/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
path "sys/mounts" {
capabilities = [ "read", "list" ]
}
# -------------------------------------------------------------
# PKI
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "pki*" {
capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
}
diff --git a/roles/vault/policies/files/viperserv.hcl b/roles/vault/policies/files/viperserv.hcl
index 40465fc..9eb9abd 100644
--- a/roles/vault/policies/files/viperserv.hcl
+++ b/roles/vault/policies/files/viperserv.hcl
@@ -1,18 +1,18 @@
# -------------------------------------------------------------
# Vault configuration - Policy for ViperServ eggdrops
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
-# Source file: roles/vault/vault/files/viperserv.hcl
+# Source file: s/roles/vault/policies/files/viperserv.hcl
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
path "apps/data/viperserv/*" {
capabilities = [ "read" ]
}
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Sun, Nov 24, 22:50 (14 h, 45 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2259087
Default Alt Text
(10 KB)
Attached To
Mode
rOPS Nasqueron Operations
Attached
Detach File
Event Timeline
Log In to Comment