terraform: add vault pki management to terraform
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
This commit is contained in:
@@ -109,7 +109,48 @@ bao read auth/approle/role/monitoring01/role-id
|
||||
bao write -f auth/approle/role/monitoring01/secret-id
|
||||
```
|
||||
|
||||
### Issue a certificate from PKI
|
||||
### Issue Certificates from PKI
|
||||
|
||||
**Method 1: ACME (Recommended for automated services)**
|
||||
|
||||
First, enable ACME support:
|
||||
```bash
|
||||
bao write pki_int/config/acme enabled=true
|
||||
```
|
||||
|
||||
ACME directory endpoint:
|
||||
```
|
||||
https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
|
||||
```
|
||||
|
||||
Use with ACME clients (lego, certbot, cert-manager, etc.):
|
||||
```bash
|
||||
# Example with lego
|
||||
lego --email admin@home.2rjus.net \
|
||||
--dns manual \
|
||||
--server https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory \
|
||||
--accept-tos \
|
||||
run -d test.home.2rjus.net
|
||||
```
|
||||
|
||||
**Method 2: Static certificates via Terraform**
|
||||
|
||||
Define in `pki.tf`:
|
||||
```hcl
|
||||
locals {
|
||||
static_certificates = {
|
||||
"monitoring" = {
|
||||
common_name = "monitoring.home.2rjus.net"
|
||||
alt_names = ["grafana.home.2rjus.net", "prometheus.home.2rjus.net"]
|
||||
ttl = "720h"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Terraform will auto-issue and auto-renew these certificates.
|
||||
|
||||
**Method 3: Manual CLI issuance**
|
||||
|
||||
```bash
|
||||
# Issue certificate for a host
|
||||
@@ -192,10 +233,48 @@ Secrets follow a three-tier hierarchy:
|
||||
- `skip_tls_verify = true` is acceptable for self-signed certs in homelab
|
||||
- AppRole secret_ids can be scoped to specific CIDR ranges for additional security
|
||||
|
||||
## Initial Setup Steps
|
||||
|
||||
After deploying this configuration, perform these one-time setup tasks:
|
||||
|
||||
### 1. Enable ACME
|
||||
```bash
|
||||
export BAO_ADDR='https://vault.home.2rjus.net:8200'
|
||||
export BAO_TOKEN='your-root-token'
|
||||
export BAO_SKIP_VERIFY=1
|
||||
|
||||
# Configure cluster path (required for ACME)
|
||||
bao write pki_int/config/cluster path=https://vault.home.2rjus.net:8200/v1/pki_int
|
||||
|
||||
# Enable ACME on intermediate CA
|
||||
bao write pki_int/config/acme enabled=true
|
||||
|
||||
# Verify ACME is enabled
|
||||
curl -k https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
|
||||
```
|
||||
|
||||
### 2. Download Root CA Certificate
|
||||
|
||||
For trusting the internal CA on clients:
|
||||
```bash
|
||||
# Download root CA certificate
|
||||
bao read -field=certificate pki/cert/ca > homelab-root-ca.crt
|
||||
|
||||
# Install on NixOS hosts (add to system/default.nix or similar)
|
||||
security.pki.certificateFiles = [ ./homelab-root-ca.crt ];
|
||||
```
|
||||
|
||||
### 3. Test Certificate Issuance
|
||||
|
||||
```bash
|
||||
# Manual test
|
||||
bao write pki_int/issue/homelab common_name="test.home.2rjus.net" ttl="24h"
|
||||
```
|
||||
|
||||
## Next Steps
|
||||
|
||||
1. Add more AppRoles for different host types
|
||||
2. Create policies for different service tiers
|
||||
1. Replace step-ca ACME endpoint with OpenBao in `system/acme.nix`
|
||||
2. Add more AppRoles for different host types
|
||||
3. Migrate existing sops-nix secrets to OpenBao KV
|
||||
4. Enable ACME support on PKI intermediate CA (OpenBao 2.0+)
|
||||
5. Set up SSH CA for host and user certificates
|
||||
4. Set up SSH CA for host and user certificates
|
||||
5. Configure auto-unseal for vault01
|
||||
|
||||
Reference in New Issue
Block a user