Torjus Håkestad
0700033c0a
Replace sops-nix secrets with OpenBao vault secrets across all hosts. Hardcode root password hash, add extractKey option to vault-secrets module, update Terraform with secrets/policies for all hosts, and create AppRole provisioning playbook. Hosts migrated: ha1, monitoring01, ns1, ns2, http-proxy, nix-cache01 Wave 1 hosts (nats1, jelly01, pgdb1) get AppRole policies only. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
60 lines
1.3 KiB
HCL
60 lines
1.3 KiB
HCL
variable "vault_address" {
|
|
description = "OpenBao server address"
|
|
type = string
|
|
default = "https://vault01.home.2rjus.net:8200"
|
|
}
|
|
|
|
variable "vault_token" {
|
|
description = "OpenBao root or admin token"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
variable "vault_skip_tls_verify" {
|
|
description = "Skip TLS verification (for self-signed certs)"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "backup_helper_secret" {
|
|
description = "Backup helper password (shared across hosts)"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
variable "nats_nkey" {
|
|
description = "NATS NKey for alerttonotify"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
variable "pve_exporter_config" {
|
|
description = "PVE exporter YAML configuration"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
variable "ns_xfer_key" {
|
|
description = "DNS zone transfer TSIG key"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
variable "wireguard_private_key" {
|
|
description = "WireGuard private key for http-proxy"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
variable "cache_signing_key" {
|
|
description = "Nix binary cache signing key"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
variable "actions_token_1" {
|
|
description = "Gitea Actions runner token"
|
|
type = string
|
|
sensitive = true
|
|
}
|