vault: implement bootstrap integration

2026-02-03 00:54:31 +01:00
5 changed files with 21 additions and 21 deletions
--- a/terraform/cloud-init.tf
+++ b/terraform/cloud-init.tf
@@ -19,14 +19,14 @@ ${each.value.flake_branch != null || each.value.vault_wrapped_token != null ? <<
  write_files:
    - path: /run/cloud-init-env
      content: |
-        %{~if each.value.flake_branch != null~}
+        %{~ if each.value.flake_branch != null ~}
        NIXOS_FLAKE_BRANCH=${each.value.flake_branch}
-        %{~endif~}
-        %{~if each.value.vault_wrapped_token != null~}
+        %{~ endif ~}
+        %{~ if each.value.vault_wrapped_token != null ~}
        VAULT_ADDR=https://vault01.home.2rjus.net:8200
        VAULT_WRAPPED_TOKEN=${each.value.vault_wrapped_token}
        VAULT_SKIP_VERIFY=1
-        %{~endif~}
+        %{~ endif ~}
      permissions: '0600'
 FILES
 : ""}
--- a/terraform/vault/hosts-generated.tf
+++ b/terraform/vault/hosts-generated.tf
@@ -10,7 +10,7 @@ locals {
        "secret/data/hosts/vaulttest01/*",
      ]
    }
-
+  
  }

  # Placeholder secrets - user should add actual secrets manually or via tofu
@@ -41,8 +41,8 @@ resource "vault_approle_auth_backend_role" "generated_hosts" {
  backend            = vault_auth_backend.approle.path
  role_name          = each.key
  token_policies     = ["host-${each.key}"]
-  secret_id_ttl      = 0 # Never expire (wrapped tokens provide time limit)
+  secret_id_ttl      = 0  # Never expire (wrapped tokens provide time limit)
  token_ttl          = 3600
  token_max_ttl      = 3600
-  secret_id_num_uses = 0 # Unlimited uses
+  secret_id_num_uses = 0  # Unlimited uses
 }
--- a/terraform/vault/pki.tf
+++ b/terraform/vault/pki.tf
@@ -169,7 +169,7 @@ resource "vault_pki_secret_backend_cert" "static_certs" {
  ip_sans   = lookup(each.value, "ip_sans", [])
  ttl       = lookup(each.value, "ttl", "720h") # 30 days default

-  auto_renew            = true
+  auto_renew = true
  min_seconds_remaining = 604800 # Renew 7 days before expiry
 }

@@ -178,12 +178,12 @@ output "static_certificates" {
  description = "Static certificates issued by Vault PKI"
  value = {
    for k, v in vault_pki_secret_backend_cert.static_certs : k => {
-      common_name = v.common_name
-      serial      = v.serial_number
-      expiration  = v.expiration
-      issuing_ca  = v.issuing_ca
-      certificate = v.certificate
-      private_key = v.private_key
+      common_name  = v.common_name
+      serial       = v.serial_number
+      expiration   = v.expiration
+      issuing_ca   = v.issuing_ca
+      certificate  = v.certificate
+      private_key  = v.private_key
    }
  }
  sensitive = true
--- a/terraform/vault/secrets.tf
+++ b/terraform/vault/secrets.tf
@@ -48,7 +48,7 @@ locals {
    }
    # TODO: Remove after testing
    "hosts/vaulttest01/test-service" = {
-      auto_generate   = true
+      auto_generate = true
      password_length = 32
    }
  }
--- a/terraform/vms.tf
+++ b/terraform/vms.tf
@@ -46,11 +46,11 @@ locals {
      flake_branch = "vault-setup" # Bootstrap from this branch instead of master
    }
    "vaulttest01" = {
-      ip                  = "10.69.13.150/24"
-      cpu_cores           = 2
-      memory              = 2048
-      disk_size           = "20G"
-      flake_branch        = "vault-bootstrap-integration"
+      ip        = "10.69.13.150/24"
+      cpu_cores = 2
+      memory    = 2048
+      disk_size = "20G"
+      flake_branch = "vault-bootstrap-integration"
      vault_wrapped_token = "s.HwNenAYvXBsPs8uICh4CbE11"
    }
  }
@@ -152,7 +152,7 @@ resource "proxmox_vm_qemu" "vm" {
  # Lifecycle configuration
  lifecycle {
    ignore_changes = [
-      clone,            # Template name can change without recreating VMs
+      clone,           # Template name can change without recreating VMs
      startup_shutdown, # Proxmox sets defaults (-1) that we don't need to manage
    ]
  }