vault: implement bootstrap integration

terraform/cloud-init.tf

@@ -19,14 +19,14 @@ ${each.value.flake_branch != null || each.value.vault_wrapped_token != null ? <<
   write_files:
     - path: /run/cloud-init-env
       content: |
-        %{~ if each.value.flake_branch != null ~}
+        %{~if each.value.flake_branch != null~}
         NIXOS_FLAKE_BRANCH=${each.value.flake_branch}
-        %{~ endif ~}
+        %{~endif~}
-        %{~ if each.value.vault_wrapped_token != null ~}
+        %{~if each.value.vault_wrapped_token != null~}
         VAULT_ADDR=https://vault01.home.2rjus.net:8200
         VAULT_WRAPPED_TOKEN=${each.value.vault_wrapped_token}
         VAULT_SKIP_VERIFY=1
-        %{~ endif ~}
+        %{~endif~}
       permissions: '0600'
 FILES
 : ""}

terraform/vault/hosts-generated.tf

@@ -41,8 +41,8 @@ resource "vault_approle_auth_backend_role" "generated_hosts" {
   backend            = vault_auth_backend.approle.path
   role_name          = each.key
   token_policies     = ["host-${each.key}"]
-  secret_id_ttl      = 0  # Never expire (wrapped tokens provide time limit)
+  secret_id_ttl      = 0 # Never expire (wrapped tokens provide time limit)
   token_ttl          = 3600
   token_max_ttl      = 3600
-  secret_id_num_uses = 0  # Unlimited uses
+  secret_id_num_uses = 0 # Unlimited uses
 }

terraform/vault/pki.tf

@@ -169,7 +169,7 @@ resource "vault_pki_secret_backend_cert" "static_certs" {
   ip_sans   = lookup(each.value, "ip_sans", [])
   ttl       = lookup(each.value, "ttl", "720h") # 30 days default
 
-  auto_renew = true
+  auto_renew            = true
   min_seconds_remaining = 604800 # Renew 7 days before expiry
 }
 
@@ -178,12 +178,12 @@ output "static_certificates" {
   description = "Static certificates issued by Vault PKI"
   value = {
     for k, v in vault_pki_secret_backend_cert.static_certs : k => {
-      common_name  = v.common_name
+      common_name = v.common_name
-      serial       = v.serial_number
+      serial      = v.serial_number
-      expiration   = v.expiration
+      expiration  = v.expiration
-      issuing_ca   = v.issuing_ca
+      issuing_ca  = v.issuing_ca
-      certificate  = v.certificate
+      certificate = v.certificate
-      private_key  = v.private_key
+      private_key = v.private_key
     }
   }
   sensitive = true

terraform/vault/secrets.tf

@@ -48,7 +48,7 @@ locals {
     }
     # TODO: Remove after testing
     "hosts/vaulttest01/test-service" = {
-      auto_generate = true
+      auto_generate   = true
       password_length = 32
     }
   }

terraform/vms.tf

@@ -46,11 +46,11 @@ locals {
       flake_branch = "vault-setup" # Bootstrap from this branch instead of master
     }
     "vaulttest01" = {
-      ip        = "10.69.13.150/24"
+      ip                  = "10.69.13.150/24"
-      cpu_cores = 2
+      cpu_cores           = 2
-      memory    = 2048
+      memory              = 2048
-      disk_size = "20G"
+      disk_size           = "20G"
-      flake_branch = "vault-bootstrap-integration"
+      flake_branch        = "vault-bootstrap-integration"
       vault_wrapped_token = "s.HwNenAYvXBsPs8uICh4CbE11"
     }
   }
@@ -152,7 +152,7 @@ resource "proxmox_vm_qemu" "vm" {
   # Lifecycle configuration
   lifecycle {
     ignore_changes = [
-      clone,           # Template name can change without recreating VMs
+      clone,            # Template name can change without recreating VMs
       startup_shutdown, # Proxmox sets defaults (-1) that we don't need to manage
     ]
   }