# WARNING: Auto-generated by create-host tool # Manual edits will be overwritten when create-host is run # Generated host policies # Each host gets access to its own secrets under hosts//* locals { generated_host_policies = { "testvm01" = { paths = [ "secret/data/hosts/testvm01/*", ] } "testvm02" = { paths = [ "secret/data/hosts/testvm02/*", ] } "testvm03" = { paths = [ "secret/data/hosts/testvm03/*", ] } "ns2" = { paths = [ "secret/data/hosts/ns2/*", "secret/data/shared/dns/*", ] } "ns1" = { paths = [ "secret/data/hosts/ns1/*", "secret/data/shared/dns/*", "secret/data/shared/homelab-deploy/*", ] } "nix-cache02" = { paths = [ "secret/data/hosts/nix-cache02/*", "secret/data/shared/homelab-deploy/*", ] } "garage01" = { paths = [ "secret/data/hosts/garage01/*", ] } "monitoring02" = { paths = [ "secret/data/hosts/monitoring02/*", "secret/data/services/grafana/*", "secret/data/services/exportarr/*", "secret/data/shared/nats/nkey", ] extra_policies = ["prometheus-metrics"] } "pn01" = { paths = [ "secret/data/hosts/pn01/*", ] } "pn02" = { paths = [ "secret/data/hosts/pn02/*", ] } "media1" = { paths = [ "secret/data/hosts/media1/*", ] } } # Placeholder secrets - user should add actual secrets manually or via tofu generated_secrets = { } } # Create policies for generated hosts resource "vault_policy" "generated_host_policies" { for_each = local.generated_host_policies name = "host-${each.key}" policy = <<-EOT # Allow host to read its own secrets %{for path in each.value.paths~} path "${path}" { capabilities = ["read", "list"] } %{endfor~} EOT } # Create AppRoles for generated hosts resource "vault_approle_auth_backend_role" "generated_hosts" { for_each = local.generated_host_policies backend = vault_auth_backend.approle.path role_name = each.key token_policies = concat( ["host-${each.key}", "homelab-deploy", "nixos-exporter", "loki-push"], lookup(each.value, "extra_policies", []) ) secret_id_ttl = 0 # Never expire (wrapped tokens provide time limit) token_ttl = 3600 token_max_ttl = 3600 secret_id_num_uses = 0 # Unlimited uses }