diff --git a/roles/vault/policies/files/admin.hcl b/roles/vault/policies/files/admin.hcl
index b3e96b4..bef79ca 100644
--- a/roles/vault/policies/files/admin.hcl
+++ b/roles/vault/policies/files/admin.hcl
@@ -1,94 +1,94 @@
# -------------------------------------------------------------
# Vault configuration - Policy for Nasqueron Ops SIG beings
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
-# Source file: roles/vault/vault/files/admin.hcl
+# Source file: roles/vault/policies/files/admin.hcl
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Health check
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "sys/health" {
capabilities = ["read", "sudo"]
}
# -------------------------------------------------------------
# Policies management
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "sys/policies/acl" {
capabilities = ["list"]
}
path "sys/policies/acl/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# -------------------------------------------------------------
# Authentication management
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "auth/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/auth/*" {
capabilities = ["create", "update", "delete", "sudo"]
}
path "sys/auth" {
capabilities = ["read"]
}
# -------------------------------------------------------------
# Secrets management
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "sys/mounts" {
capabilities = ["read"]
}
path "sys/mounts/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "apps/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "ops/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# -------------------------------------------------------------
# PKI
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "pki_root/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "pki_vault/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# -------------------------------------------------------------
# Transit
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "transit/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "transit/keys/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
diff --git a/roles/vault/policies/files/airflow.hcl b/roles/vault/policies/files/airflow.hcl
index a1ed27a..21408d0 100644
--- a/roles/vault/policies/files/airflow.hcl
+++ b/roles/vault/policies/files/airflow.hcl
@@ -1,20 +1,20 @@
# -------------------------------------------------------------
# Vault configuration - Policy for Apache Airflow
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
-# Source file: roles/vault/vault/files/airflow.hcl
+# Source file: roles/vault/policies/files/airflow.hcl
#
# Airflow realm: nasqueron
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
path "apps/data/airflow/*" {
capabilities = [ "read" ]
}
diff --git a/roles/vault/policies/files/salt-primary.hcl b/roles/vault/policies/files/salt-primary.hcl
index 299886c..fe94b9f 100644
--- a/roles/vault/policies/files/salt-primary.hcl
+++ b/roles/vault/policies/files/salt-primary.hcl
@@ -1,88 +1,88 @@
# -------------------------------------------------------------
# Vault configuration - Policy for salt primary server
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
-# Source file: roles/vault/vault/files/salt_primary.hcl
+# Source file: roles/vault/policies/files/salt_primary.hcl
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Policies management
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "sys/policies/acl" {
capabilities = ["list"]
}
path "sys/policies/acl/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/policy" {
capabilities = ["list"]
}
path "sys/policy/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# -------------------------------------------------------------
# Tokens management
#
# :: Create, check, revoke tokens to be used by nodes through Salt
# :: Manage and renew own token
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "auth/token/create/salt-node-*" {
capabilities = ["update"]
}
path "auth/token/roles/salt-node-*" {
capabilities = ["read"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}
path "auth/token/renew-self" {
capabilities = ["update"]
}
path "auth/token/lookup" {
capabilities = ["update"]
}
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}
path "sys/capabilities-self" {
capabilities = ["update"]
}
path "transit/keys/*"{
capabilities = ["create"]
}
# -------------------------------------------------------------
# RabbitMQ credentials
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for cluster, cluster_args in pillar.get("rabbitmq_clusters", {}).items() %}
# Cluster: {{ cluster }}
{% for user, credential in cluster_args.get("users", {}).items() %}
path "{{ credential.replace("/", "/data/", 1) }}" {
capabilities = [ "read" ]
}
{% endfor %}
{% endfor %}
diff --git a/roles/vault/policies/files/sentry.hcl b/roles/vault/policies/files/sentry.hcl
index 6355ea5..7dda78a 100644
--- a/roles/vault/policies/files/sentry.hcl
+++ b/roles/vault/policies/files/sentry.hcl
@@ -1,26 +1,26 @@
# -------------------------------------------------------------
# Vault configuration - Policy for Sentry
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
-# Source file: roles/vault/vault/files/sentry.hcl
+# Source file: roles/vault/policies/files/sentry.hcl
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
path "apps/data/sentry/github" {
capabilities = [ "read" ]
}
path "ops/data/secrets/nasqueron/sentry/app_key" {
capabilities = [ "read" ]
}
path "ops/data/secrets/nasqueron/sentry/postgresql" {
capabilities = [ "read" ]
}
diff --git a/roles/vault/policies/files/vault_bootstrap.hcl b/roles/vault/policies/files/vault_bootstrap.hcl
index cca39d2..05f40a9 100644
--- a/roles/vault/policies/files/vault_bootstrap.hcl
+++ b/roles/vault/policies/files/vault_bootstrap.hcl
@@ -1,34 +1,34 @@
# -------------------------------------------------------------
# Vault configuration - Policy to run DRP bootstrap script
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
-# Source file: roles/vault/vault/files/vault_boostrap.hcl
+# Source file: roles/vault/policies/files/vault_boostrap.hcl
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Secrets engine management
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "sys/mounts/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
path "sys/mounts" {
capabilities = [ "read", "list" ]
}
# -------------------------------------------------------------
# PKI
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path "pki*" {
capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
}
diff --git a/roles/vault/policies/files/viperserv.hcl b/roles/vault/policies/files/viperserv.hcl
index 40465fc..2e9525e 100644
--- a/roles/vault/policies/files/viperserv.hcl
+++ b/roles/vault/policies/files/viperserv.hcl
@@ -1,18 +1,18 @@
# -------------------------------------------------------------
# Vault configuration - Policy for ViperServ eggdrops
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
-# Source file: roles/vault/vault/files/viperserv.hcl
+# Source file: roles/vault/policies/files/viperserv.hcl
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
path "apps/data/viperserv/*" {
capabilities = [ "read" ]
}