From 016f8c9119ce4111093edc7b016697f1bace9ad0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Mon, 9 Feb 2026 00:04:17 +0100
Subject: [PATCH] terraform: add nixos-exporter shared policy

- Create shared policy granting all hosts access to nixos-exporter nkey
- Add policy to both manual and generated host AppRoles
- Remove duplicate kanidm01/monitoring02 entries from hosts-generated.tf

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 terraform/vault/approle.tf         | 13 ++++++++++++-
 terraform/vault/hosts-generated.tf | 14 +-------------
 2 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/terraform/vault/approle.tf b/terraform/vault/approle.tf
index c3ce6e3..15ce4db 100644
--- a/terraform/vault/approle.tf
+++ b/terraform/vault/approle.tf
@@ -15,6 +15,17 @@ path "secret/data/shared/homelab-deploy/*" {
 EOT
 }
 
+# Shared policy for nixos-exporter NATS cache sharing
+resource "vault_policy" "nixos_exporter" {
+  name = "nixos-exporter"
+
+  policy = <<EOT
+path "secret/data/shared/nixos-exporter/*" {
+  capabilities = ["read", "list"]
+}
+EOT
+}
+
 # Define host access policies
 locals {
   host_policies = {
@@ -131,7 +142,7 @@ resource "vault_approle_auth_backend_role" "hosts" {
   backend   = vault_auth_backend.approle.path
   role_name = each.key
   token_policies = concat(
-    ["${each.key}-policy", "homelab-deploy"],
+    ["${each.key}-policy", "homelab-deploy", "nixos-exporter"],
     lookup(each.value, "extra_policies", [])
   )
 
diff --git a/terraform/vault/hosts-generated.tf b/terraform/vault/hosts-generated.tf
index c33e31e..9a11286 100644
--- a/terraform/vault/hosts-generated.tf
+++ b/terraform/vault/hosts-generated.tf
@@ -33,18 +33,6 @@ locals {
         "secret/data/shared/homelab-deploy/*",
       ]
     }
-    "kanidm01" = {
-      paths = [
-        "secret/data/hosts/kanidm01/*",
-        "secret/data/kanidm/*",
-      ]
-    }
-    "monitoring02" = {
-      paths = [
-        "secret/data/hosts/monitoring02/*",
-      ]
-    }
-  
   }
 
   # Placeholder secrets - user should add actual secrets manually or via tofu
@@ -74,7 +62,7 @@ resource "vault_approle_auth_backend_role" "generated_hosts" {
 
   backend            = vault_auth_backend.approle.path
   role_name          = each.key
-  token_policies     = ["host-${each.key}", "homelab-deploy"]
+  token_policies     = ["host-${each.key}", "homelab-deploy", "nixos-exporter"]
   secret_id_ttl      = 0 # Never expire (wrapped tokens provide time limit)
   token_ttl          = 3600
   token_max_ttl      = 3600