secrets: migrate all hosts from sops to OpenBao vault

Replace sops-nix secrets with OpenBao vault secrets across all hosts. Hardcode root password hash, add extractKey option to vault-secrets module, update Terraform with secrets/policies for all hosts, and create AppRole provisioning playbook. Hosts migrated: ha1, monitoring01, ns1, ns2, http-proxy, nix-cache01 Wave 1 hosts (nats1, jelly01, pgdb1) get AppRole policies only. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 18:43:09 +01:00
parent 4d33018285
commit 0700033c0a
20 changed files with 393 additions and 44 deletions
--- a/terraform/vault/secrets.tf
+++ b/terraform/vault/secrets.tf
@@ -35,22 +35,63 @@ locals {
    #   }
    # }

-    # TODO: actually use the secret
    "hosts/monitoring01/grafana-admin" = {
      auto_generate   = true
      password_length = 32
    }

-    # TODO: actually use the secret
    "hosts/ha1/mqtt-password" = {
      auto_generate   = true
      password_length = 24
    }
+
    # TODO: Remove after testing
    "hosts/vaulttest01/test-service" = {
      auto_generate   = true
      password_length = 32
    }
+
+    # Shared backup password
+    "shared/backup/password" = {
+      auto_generate = false
+      data          = { password = var.backup_helper_secret }
+    }
+
+    # NATS NKey for alerttonotify
+    "shared/nats/nkey" = {
+      auto_generate = false
+      data          = { nkey = var.nats_nkey }
+    }
+
+    # PVE exporter config for monitoring01
+    "hosts/monitoring01/pve-exporter" = {
+      auto_generate = false
+      data          = { config = var.pve_exporter_config }
+    }
+
+    # DNS zone transfer key
+    "shared/dns/xfer-key" = {
+      auto_generate = false
+      data          = { key = var.ns_xfer_key }
+    }
+
+    # WireGuard private key for http-proxy
+    "hosts/http-proxy/wireguard" = {
+      auto_generate = false
+      data          = { private_key = var.wireguard_private_key }
+    }
+
+    # Nix cache signing key
+    "hosts/nix-cache01/cache-secret" = {
+      auto_generate = false
+      data          = { key = var.cache_signing_key }
+    }
+
+    # Gitea Actions runner token
+    "hosts/nix-cache01/actions-token" = {
+      auto_generate = false
+      data          = { token = var.actions_token_1 }
+    }
  }
 }