secrets: migrate all hosts from sops to OpenBao vault

Replace sops-nix secrets with OpenBao vault secrets across all hosts. Hardcode root password hash, add extractKey option to vault-secrets module, update Terraform with secrets/policies for all hosts, and create AppRole provisioning playbook. Hosts migrated: ha1, monitoring01, ns1, ns2, http-proxy, nix-cache01 Wave 1 hosts (nats1, jelly01, pgdb1) get AppRole policies only. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 18:43:09 +01:00
parent 4d33018285
commit 0700033c0a
20 changed files with 393 additions and 44 deletions
--- a/terraform/vault/approle.tf
+++ b/terraform/vault/approle.tf
@@ -25,17 +25,66 @@ locals {
    #   ]
    # }

-    # TODO: actually use this policy
    "ha1" = {
      paths = [
        "secret/data/hosts/ha1/*",
+        "secret/data/shared/backup/*",
      ]
    }

-    # TODO: actually use this policy
    "monitoring01" = {
      paths = [
        "secret/data/hosts/monitoring01/*",
+        "secret/data/shared/backup/*",
+        "secret/data/shared/nats/*",
+      ]
+    }
+
+    # Wave 1: hosts with no service secrets (only need vault.enable for future use)
+    "nats1" = {
+      paths = [
+        "secret/data/hosts/nats1/*",
+      ]
+    }
+
+    "jelly01" = {
+      paths = [
+        "secret/data/hosts/jelly01/*",
+      ]
+    }
+
+    "pgdb1" = {
+      paths = [
+        "secret/data/hosts/pgdb1/*",
+      ]
+    }
+
+    # Wave 3: DNS servers
+    "ns1" = {
+      paths = [
+        "secret/data/hosts/ns1/*",
+        "secret/data/shared/dns/*",
+      ]
+    }
+
+    "ns2" = {
+      paths = [
+        "secret/data/hosts/ns2/*",
+        "secret/data/shared/dns/*",
+      ]
+    }
+
+    # Wave 4: http-proxy
+    "http-proxy" = {
+      paths = [
+        "secret/data/hosts/http-proxy/*",
+      ]
+    }
+
+    # Wave 5: nix-cache01
+    "nix-cache01" = {
+      paths = [
+        "secret/data/hosts/nix-cache01/*",
      ]
    }
  }
--- a/terraform/vault/secrets.tf
+++ b/terraform/vault/secrets.tf
@@ -35,22 +35,63 @@ locals {
    #   }
    # }

-    # TODO: actually use the secret
    "hosts/monitoring01/grafana-admin" = {
      auto_generate   = true
      password_length = 32
    }

-    # TODO: actually use the secret
    "hosts/ha1/mqtt-password" = {
      auto_generate   = true
      password_length = 24
    }
+
    # TODO: Remove after testing
    "hosts/vaulttest01/test-service" = {
      auto_generate   = true
      password_length = 32
    }
+
+    # Shared backup password
+    "shared/backup/password" = {
+      auto_generate = false
+      data          = { password = var.backup_helper_secret }
+    }
+
+    # NATS NKey for alerttonotify
+    "shared/nats/nkey" = {
+      auto_generate = false
+      data          = { nkey = var.nats_nkey }
+    }
+
+    # PVE exporter config for monitoring01
+    "hosts/monitoring01/pve-exporter" = {
+      auto_generate = false
+      data          = { config = var.pve_exporter_config }
+    }
+
+    # DNS zone transfer key
+    "shared/dns/xfer-key" = {
+      auto_generate = false
+      data          = { key = var.ns_xfer_key }
+    }
+
+    # WireGuard private key for http-proxy
+    "hosts/http-proxy/wireguard" = {
+      auto_generate = false
+      data          = { private_key = var.wireguard_private_key }
+    }
+
+    # Nix cache signing key
+    "hosts/nix-cache01/cache-secret" = {
+      auto_generate = false
+      data          = { key = var.cache_signing_key }
+    }
+
+    # Gitea Actions runner token
+    "hosts/nix-cache01/actions-token" = {
+      auto_generate = false
+      data          = { token = var.actions_token_1 }
+    }
  }
 }

--- a/terraform/vault/variables.tf
+++ b/terraform/vault/variables.tf
@@ -16,11 +16,44 @@ variable "vault_skip_tls_verify" {
  default     = true
 }

-# Example variables for manual secrets
-# Uncomment and add to terraform.tfvars as needed
+variable "backup_helper_secret" {
+  description = "Backup helper password (shared across hosts)"
+  type        = string
+  sensitive   = true
+}

-# variable "smtp_password" {
-#   description = "SMTP password for notifications"
-#   type        = string
-#   sensitive   = true
-# }
+variable "nats_nkey" {
+  description = "NATS NKey for alerttonotify"
+  type        = string
+  sensitive   = true
+}
+
+variable "pve_exporter_config" {
+  description = "PVE exporter YAML configuration"
+  type        = string
+  sensitive   = true
+}
+
+variable "ns_xfer_key" {
+  description = "DNS zone transfer TSIG key"
+  type        = string
+  sensitive   = true
+}
+
+variable "wireguard_private_key" {
+  description = "WireGuard private key for http-proxy"
+  type        = string
+  sensitive   = true
+}
+
+variable "cache_signing_key" {
+  description = "Nix binary cache signing key"
+  type        = string
+  sensitive   = true
+}
+
+variable "actions_token_1" {
+  description = "Gitea Actions runner token"
+  type        = string
+  sensitive   = true
+}