homelab: add deploy.enable option with assertion
- Add homelab.deploy.enable option (requires vault.enable) - Create shared homelab-deploy Vault policy for all hosts - Enable homelab.deploy on all vault-enabled hosts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -4,6 +4,17 @@ resource "vault_auth_backend" "approle" {
|
||||
path = "approle"
|
||||
}
|
||||
|
||||
# Shared policy for homelab-deploy (all hosts need this for NATS-based deployments)
|
||||
resource "vault_policy" "homelab_deploy" {
|
||||
name = "homelab-deploy"
|
||||
|
||||
policy = <<EOT
|
||||
path "secret/data/shared/homelab-deploy/*" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
EOT
|
||||
}
|
||||
|
||||
# Define host access policies
|
||||
locals {
|
||||
host_policies = {
|
||||
@@ -30,7 +41,6 @@ locals {
|
||||
paths = [
|
||||
"secret/data/hosts/ha1/*",
|
||||
"secret/data/shared/backup/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
@@ -39,7 +49,6 @@ locals {
|
||||
"secret/data/hosts/monitoring01/*",
|
||||
"secret/data/shared/backup/*",
|
||||
"secret/data/shared/nats/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
extra_policies = ["prometheus-metrics"]
|
||||
}
|
||||
@@ -48,21 +57,18 @@ locals {
|
||||
"nats1" = {
|
||||
paths = [
|
||||
"secret/data/hosts/nats1/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
"jelly01" = {
|
||||
paths = [
|
||||
"secret/data/hosts/jelly01/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
"pgdb1" = {
|
||||
paths = [
|
||||
"secret/data/hosts/pgdb1/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
@@ -71,7 +77,6 @@ locals {
|
||||
paths = [
|
||||
"secret/data/hosts/ns1/*",
|
||||
"secret/data/shared/dns/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
@@ -79,7 +84,6 @@ locals {
|
||||
paths = [
|
||||
"secret/data/hosts/ns2/*",
|
||||
"secret/data/shared/dns/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
@@ -87,7 +91,6 @@ locals {
|
||||
"http-proxy" = {
|
||||
paths = [
|
||||
"secret/data/hosts/http-proxy/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
@@ -95,14 +98,12 @@ locals {
|
||||
"nix-cache01" = {
|
||||
paths = [
|
||||
"secret/data/hosts/nix-cache01/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
"vaulttest01" = {
|
||||
paths = [
|
||||
"secret/data/hosts/vaulttest01/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
}
|
||||
@@ -130,7 +131,7 @@ resource "vault_approle_auth_backend_role" "hosts" {
|
||||
backend = vault_auth_backend.approle.path
|
||||
role_name = each.key
|
||||
token_policies = concat(
|
||||
["${each.key}-policy"],
|
||||
["${each.key}-policy", "homelab-deploy"],
|
||||
lookup(each.value, "extra_policies", [])
|
||||
)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user