Nomad Passbolt Job

README.md

@@ -0,0 +1,111 @@
+# Passbolt Nomad Deployment
+
+This repository contains the Nomad job specification for deploying Passbolt password manager on a Nomad cluster with Consul Connect and Traefik integration.
+
+## Prerequisites
+
+Before deploying Passbolt, ensure you have:
+
+1. A Nomad cluster with Consul Connect enabled
+2. Traefik configured for service routing
+3. Docker volumes directory created on the target node
+
+## Deployment Steps
+
+### 1. Register Consul Service Defaults
+
+Before deploying the Nomad job, you must register the service defaults with Consul:
+
+```bash
+consul config write passbolt-service-defaults.hcl
+```
+
+This configures the protocol for the `passbolt-app` service to work with the Consul Connect ingress gateway.
+
+### 2. Set Up Volume Permissions
+
+The GPG volume directory requires specific permissions for Passbolt to function correctly:
+
+```bash
+# Create the directory if it doesn't exist
+sudo mkdir -p /root/nomadvolumes/passbolt/data/gpg
+
+# Set ownership to root with www-data group
+sudo chown root:www-data /root/nomadvolumes/passbolt/data/gpg
+
+# Set permissions to 774
+sudo chmod 774 /root/nomadvolumes/passbolt/data/gpg
+```
+
+### 3. Deploy the Nomad Job
+
+```bash
+nomad run passbolt.nomad
+```
+
+## Post-Deployment Configuration
+
+### Creating the First Admin User
+
+After the deployment is successful, you need to create the first admin user. Connect to the Passbolt container and run:
+
+```bash
+nomad alloc exec -task passbolt-app <ALLOCATION_ID> su -m -c "/usr/share/php/passbolt/bin/cake \
+  passbolt register_user \
+    -u YOUR_EMAIL \
+    -f YOUR_NAME \
+    -l YOUR_LASTNAME \
+    -r admin" -s /bin/sh www-data
+```
+
+Replace:
+- `<ALLOCATION_ID>` with the actual allocation ID (find it with `nomad job status passbolt`)
+- `YOUR_EMAIL` with the admin email address
+- `YOUR_NAME` with the admin first name
+- `YOUR_LASTNAME` with the admin last name
+
+This command will output a registration link. Follow the link to complete the user setup process, including:
+- Installing the Passbolt browser extension
+- Creating your passphrase
+- Generating your recovery kit
+
+For detailed instructions, see: [Passbolt Docker Installation Guide](https://www.passbolt.com/docs/hosting/install/ce/docker/)
+
+### Importing Passwords from CSV
+
+If you're migrating from another password manager (like Dropbox Passwords), you can import passwords using a CSV file.
+
+Follow this community guide for the import process:
+[Migrating from Dropbox Passwords to Passbolt](https://community.passbolt.com/t/migrating-from-dropbox-passwords-to-passbolt/13653)
+
+## Access
+
+Once deployed and configured, Passbolt will be available at:
+
+**https://passbolt.neogenia.com.mx**
+
+## Architecture
+
+The deployment consists of three main groups:
+
+1. **ingress-group**: Consul Connect ingress gateway with Traefik integration for external routing
+2. **database**: MariaDB 10.11 for data persistence
+3. **passbolt**: The main Passbolt application with Consul Connect sidecar for secure service mesh communication
+
+## Volumes
+
+The deployment uses the following persistent volumes:
+
+- `/root/nomadvolumes/passbolt/data/mysql` - MariaDB database files
+- `/root/nomadvolumes/passbolt/data/gpg` - GPG keys (requires special permissions)
+- `/root/nomadvolumes/passbolt/data/jwt` - JWT tokens
+
+## Security Notes
+
+- Database credentials are configured in the Nomad job file. Update these for production use.
+- All service-to-service communication uses Consul Connect for mTLS encryption
+- Traefik handles TLS termination with automatic certificate generation via Let's Encrypt
+
+## Additional Notes
+
+- This repo contains the original docker-compose yml file as a reference but it is not needed to run the nomad job