# Enable KV v2 secrets engine resource "vault_mount" "kv" { path = "secret" type = "kv" options = { version = "2" } description = "KV Version 2 secret store" } # Define all secrets with auto-generation support locals { secrets = { # Example host-specific secrets # "hosts/ha1/mqtt-password" = { # auto_generate = true # password_length = 24 # } # Example service secrets # "services/prometheus/remote-write" = { # auto_generate = true # password_length = 40 # } # Example shared secrets with manual values # "shared/smtp/credentials" = { # auto_generate = false # data = { # username = "notifications@2rjus.net" # password = var.smtp_password # Define in variables.tf and set in terraform.tfvars # server = "smtp.gmail.com" # } # } "hosts/ha1/mqtt-password" = { auto_generate = true password_length = 24 } # Shared backup password (auto-generated, add alongside existing restic key) "shared/backup/password" = { auto_generate = true password_length = 32 } # NATS NKey for alerttonotify "shared/nats/nkey" = { auto_generate = false data = { nkey = var.nats_nkey } } # PVE exporter config for monitoring02 "hosts/monitoring02/pve-exporter" = { auto_generate = false data = { config = var.pve_exporter_config } } # DNS zone transfer key "shared/dns/xfer-key" = { auto_generate = false data = { key = var.ns_xfer_key } } # WireGuard private key for http-proxy "hosts/http-proxy/wireguard" = { auto_generate = false data = { private_key = var.wireguard_private_key } } # Nix cache signing key "hosts/nix-cache02/cache-secret" = { auto_generate = false data = { key = var.cache_signing_key_02 } } # Homelab-deploy NKeys "shared/homelab-deploy/listener-nkey" = { auto_generate = false data = { nkey = var.homelab_deploy_listener_nkey } } "shared/homelab-deploy/test-deployer-nkey" = { auto_generate = false data = { nkey = var.homelab_deploy_test_deployer_nkey } } "shared/homelab-deploy/admin-deployer-nkey" = { auto_generate = false data = { nkey = var.homelab_deploy_admin_deployer_nkey } } "shared/homelab-deploy/builder-nkey" = { auto_generate = false data = { nkey = var.homelab_deploy_builder_nkey } } "shared/homelab-deploy/scheduler-nkey" = { auto_generate = false data = { nkey = var.homelab_deploy_scheduler_nkey } } # Garage S3 environment (RPC secret + admin token) "hosts/garage01/garage" = { auto_generate = false data = { env = var.garage_env } } # Kanidm idm_admin password "kanidm/idm-admin-password" = { auto_generate = true password_length = 32 } # Grafana OAuth2 client secret (for Kanidm OIDC) "services/grafana/oauth2-client-secret" = { auto_generate = true password_length = 64 } # OpenBao OAuth2 client secret (for Kanidm OIDC) "services/openbao/oauth2-client-secret" = { auto_generate = true password_length = 64 } # NKey for nixos-exporter NATS cache sharing "shared/nixos-exporter/nkey" = { auto_generate = false data = { nkey = var.nixos_exporter_nkey } } # Exportarr API keys for media stack monitoring "services/exportarr/radarr" = { auto_generate = false data = { api_key = var.radarr_api_key } } "services/exportarr/sonarr" = { auto_generate = false data = { api_key = var.sonarr_api_key } } # Bearer token for scraping apiary metrics "hosts/monitoring02/apiary-token" = { auto_generate = true password_length = 64 } # Forgejo runner token for nix-cache02 "hosts/nix-cache02/forgejo-runner-token" = { auto_generate = false data = { token = var.forgejo_runner_token } } # Loki push authentication (used by Promtail on all hosts) "shared/loki/push-auth" = { auto_generate = true password_length = 32 } } } # Auto-generate passwords for secrets with auto_generate = true resource "random_password" "auto_secrets" { for_each = { for k, v in local.secrets : k => v if lookup(v, "auto_generate", false) } length = each.value.password_length special = true } # Create all secrets in Vault resource "vault_kv_secret_v2" "secrets" { for_each = local.secrets mount = vault_mount.kv.path name = each.key data_json = jsonencode( lookup(each.value, "auto_generate", false) ? { password = random_password.auto_secrets[each.key].result } : each.value.data ) }