admin/passbolt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
passbolt/README.md
Francisco Gaona 5678e049af Nomad Passbolt Job
2025-10-29 08:20:26 +01:00

3.6 KiB
Raw Permalink Blame History

Passbolt Nomad Deployment

This repository contains the Nomad job specification for deploying Passbolt password manager on a Nomad cluster with Consul Connect and Traefik integration.

Prerequisites

Before deploying Passbolt, ensure you have:

  1. A Nomad cluster with Consul Connect enabled
  2. Traefik configured for service routing
  3. Docker volumes directory created on the target node

Deployment Steps

1. Register Consul Service Defaults

Before deploying the Nomad job, you must register the service defaults with Consul:

consul config write passbolt-service-defaults.hcl

This configures the protocol for the passbolt-app service to work with the Consul Connect ingress gateway.

2. Set Up Volume Permissions

The GPG volume directory requires specific permissions for Passbolt to function correctly:

# Create the directory if it doesn't exist
sudo mkdir -p /root/nomadvolumes/passbolt/data/gpg

# Set ownership to root with www-data group
sudo chown root:www-data /root/nomadvolumes/passbolt/data/gpg

# Set permissions to 774
sudo chmod 774 /root/nomadvolumes/passbolt/data/gpg

3. Deploy the Nomad Job

nomad run passbolt.nomad

Post-Deployment Configuration

Creating the First Admin User

After the deployment is successful, you need to create the first admin user. Connect to the Passbolt container and run:

nomad alloc exec -task passbolt-app <ALLOCATION_ID> su -m -c "/usr/share/php/passbolt/bin/cake \
  passbolt register_user \
    -u YOUR_EMAIL \
    -f YOUR_NAME \
    -l YOUR_LASTNAME \
    -r admin" -s /bin/sh www-data

Replace:

  • <ALLOCATION_ID> with the actual allocation ID (find it with nomad job status passbolt)
  • YOUR_EMAIL with the admin email address
  • YOUR_NAME with the admin first name
  • YOUR_LASTNAME with the admin last name

This command will output a registration link. Follow the link to complete the user setup process, including:

  • Installing the Passbolt browser extension
  • Creating your passphrase
  • Generating your recovery kit

For detailed instructions, see: Passbolt Docker Installation Guide

Importing Passwords from CSV

If you're migrating from another password manager (like Dropbox Passwords), you can import passwords using a CSV file.

Follow this community guide for the import process: Migrating from Dropbox Passwords to Passbolt

Access

Once deployed and configured, Passbolt will be available at:

https://passbolt.neogenia.com.mx

Architecture

The deployment consists of three main groups:

  1. ingress-group: Consul Connect ingress gateway with Traefik integration for external routing
  2. database: MariaDB 10.11 for data persistence
  3. passbolt: The main Passbolt application with Consul Connect sidecar for secure service mesh communication

Volumes

The deployment uses the following persistent volumes:

  • /root/nomadvolumes/passbolt/data/mysql - MariaDB database files
  • /root/nomadvolumes/passbolt/data/gpg - GPG keys (requires special permissions)
  • /root/nomadvolumes/passbolt/data/jwt - JWT tokens

Security Notes

  • Database credentials are configured in the Nomad job file. Update these for production use.
  • All service-to-service communication uses Consul Connect for mTLS encryption
  • Traefik handles TLS termination with automatic certificate generation via Let's Encrypt

Additional Notes

  • This repo contains the original docker-compose yml file as a reference but it is not needed to run the nomad job