nomad

HCL and Docker files for Nomad deployments
git clone https://git.in0rdr.ch/nomad.git
Log | Files | Refs | Pull requests |Archive
commit 404f8532c779810f6b60d3724a1adc875ba8fb55
parent d3d4a6bb1864cbe112f4e87e4ebd8393d5e9aa67
Author: Andreas Gruhler <agruhl@gmx.ch>
Date:   Sun,  7 Sep 2025 12:33:18 +0200

fix(ampache-catalogue): access to ampache secrets

Diffstat:

Mhcl/default/ampache/ampache-catalog.nomad | 4+++-


Ahcl/default/ampache/ampache-policy.hcl | 3+++


Ahcl/default/ampache/ampache-role.json | 21+++++++++++++++++++++


3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/hcl/default/ampache/ampache-catalog.nomad b/hcl/default/ampache/ampache-catalog.nomad
@@ -2,7 +2,9 @@ job "ampache-catalog" {
   datacenters = ["dc1"]
   type = "batch"
 
-  vault {}
+  vault {
+    role = "ampache"
+  }
 
   periodic {
     crons = [
diff --git a/hcl/default/ampache/ampache-policy.hcl b/hcl/default/ampache/ampache-policy.hcl
@@ -0,0 +1,3 @@
+path "kv/+/ampache*" {
+  capabilities = ["list", "read"]
+}
diff --git a/hcl/default/ampache/ampache-role.json b/hcl/default/ampache/ampache-role.json
@@ -0,0 +1,21 @@
+{
+    "bound_audiences": [
+      "vault.in0rdr.ch"
+    ],
+    "role_type": "jwt",
+    "user_claim": "/nomad_job_id",
+    "user_claim_json_pointer": "true",
+    "bound_claims_type": "glob",
+    "claim_mappings": {
+      "nomad_job_id": "nomad_job_id",
+      "nomad_namespace": "nomad_namespace",
+      "nomad_task": "nomad_task"
+    },
+    "bound_claims": {
+      "nomad_job_id": "ampache*",
+      "nomad_namespace": "default"
+    },
+    "token_policies": [
+      "ampache"
+    ]
+}