# Passbolt Nomad Deployment This repository contains the Nomad job specification for deploying Passbolt password manager on a Nomad cluster with Consul Connect and Traefik integration. ## Prerequisites Before deploying Passbolt, ensure you have: 1. A Nomad cluster with Consul Connect enabled 2. Traefik configured for service routing 3. Docker volumes directory created on the target node ## Deployment Steps ### 1. Register Consul Service Defaults Before deploying the Nomad job, you must register the service defaults with Consul: ```bash consul config write passbolt-service-defaults.hcl ``` This configures the protocol for the `passbolt-app` service to work with the Consul Connect ingress gateway. ### 2. Set Up Volume Permissions The GPG volume directory requires specific permissions for Passbolt to function correctly: ```bash # Create the directory if it doesn't exist sudo mkdir -p /root/nomadvolumes/passbolt/data/gpg # Set ownership to root with www-data group sudo chown root:www-data /root/nomadvolumes/passbolt/data/gpg # Set permissions to 774 sudo chmod 774 /root/nomadvolumes/passbolt/data/gpg ``` ### 3. Deploy the Nomad Job ```bash nomad run passbolt.nomad ``` ## Post-Deployment Configuration ### Creating the First Admin User After the deployment is successful, you need to create the first admin user. Connect to the Passbolt container and run: ```bash nomad alloc exec -task passbolt-app su -m -c "/usr/share/php/passbolt/bin/cake \ passbolt register_user \ -u YOUR_EMAIL \ -f YOUR_NAME \ -l YOUR_LASTNAME \ -r admin" -s /bin/sh www-data ``` Replace: - `` with the actual allocation ID (find it with `nomad job status passbolt`) - `YOUR_EMAIL` with the admin email address - `YOUR_NAME` with the admin first name - `YOUR_LASTNAME` with the admin last name This command will output a registration link. Follow the link to complete the user setup process, including: - Installing the Passbolt browser extension - Creating your passphrase - Generating your recovery kit For detailed instructions, see: [Passbolt Docker Installation Guide](https://www.passbolt.com/docs/hosting/install/ce/docker/) ### Importing Passwords from CSV If you're migrating from another password manager (like Dropbox Passwords), you can import passwords using a CSV file. Follow this community guide for the import process: [Migrating from Dropbox Passwords to Passbolt](https://community.passbolt.com/t/migrating-from-dropbox-passwords-to-passbolt/13653) ## Access Once deployed and configured, Passbolt will be available at: **https://passbolt.neogenia.com.mx** ## Architecture The deployment consists of three main groups: 1. **ingress-group**: Consul Connect ingress gateway with Traefik integration for external routing 2. **database**: MariaDB 10.11 for data persistence 3. **passbolt**: The main Passbolt application with Consul Connect sidecar for secure service mesh communication ## Volumes The deployment uses the following persistent volumes: - `/root/nomadvolumes/passbolt/data/mysql` - MariaDB database files - `/root/nomadvolumes/passbolt/data/gpg` - GPG keys (requires special permissions) - `/root/nomadvolumes/passbolt/data/jwt` - JWT tokens ## Security Notes - Database credentials are configured in the Nomad job file. Update these for production use. - All service-to-service communication uses Consul Connect for mTLS encryption - Traefik handles TLS termination with automatic certificate generation via Let's Encrypt ## Additional Notes - This repo contains the original docker-compose yml file as a reference but it is not needed to run the nomad job