torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

terraform: add nixos-exporter shared policy
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
Details

Browse Source 
- Create shared policy granting all hosts access to nixos-exporter nkey
- Add policy to both manual and generated host AppRoles
- Remove duplicate kanidm01/monitoring02 entries from hosts-generated.tf

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-09 00:04:17 +01:00
parent fec2a261ab
commit 016f8c9119
2 changed files with 13 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
terraform/vault/approle.tf
View File

@@ -15,6 +15,17 @@ path "secret/data/shared/homelab-deploy/*" {
EOT EOT
} }
# Shared policy for nixos-exporter NATS cache sharing
resource "vault_policy" "nixos_exporter" {
name = "nixos-exporter"
policy = <<EOT
path "secret/data/shared/nixos-exporter/*" {
capabilities = ["read", "list"]
}
EOT
}
# Define host access policies # Define host access policies
locals { locals {
host_policies = { host_policies = {
@@ -131,7 +142,7 @@ resource "vault_approle_auth_backend_role" "hosts" {
backend = vault_auth_backend.approle.path backend = vault_auth_backend.approle.path
role_name = each.key role_name = each.key
token_policies = concat( token_policies = concat(
["${each.key}-policy", "homelab-deploy"], ["${each.key}-policy", "homelab-deploy", "nixos-exporter"],
lookup(each.value, "extra_policies", []) lookup(each.value, "extra_policies", [])
) )

14
terraform/vault/hosts-generated.tf
View File

@@ -33,18 +33,6 @@ locals {
"secret/data/shared/homelab-deploy/*", "secret/data/shared/homelab-deploy/*",
] ]
} }
"kanidm01" = {
paths = [
"secret/data/hosts/kanidm01/*",
"secret/data/kanidm/*",
]
}
"monitoring02" = {
paths = [
"secret/data/hosts/monitoring02/*",
]
}
} }
# Placeholder secrets - user should add actual secrets manually or via tofu # Placeholder secrets - user should add actual secrets manually or via tofu
@@ -74,7 +62,7 @@ resource "vault_approle_auth_backend_role" "generated_hosts" {
backend = vault_auth_backend.approle.path backend = vault_auth_backend.approle.path
role_name = each.key role_name = each.key
token_policies = ["host-${each.key}", "homelab-deploy"] token_policies = ["host-${each.key}", "homelab-deploy", "nixos-exporter"]
secret_id_ttl = 0 # Never expire (wrapped tokens provide time limit) secret_id_ttl = 0 # Never expire (wrapped tokens provide time limit)
token_ttl = 3600 token_ttl = 3600
token_max_ttl = 3600 token_max_ttl = 3600