torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
1942591d2e90b4bb8a06b740e7dd032f7afe6ad7
nixos-servers/terraform/vault/secrets.tf
Torjus Håkestad 1942591d2e
Some checks failed
Run nix flake check / flake-check (push) Failing after 12m52s
Details
monitoring: add apiary metrics scraping with bearer token auth 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 16:36:26 +01:00

183 lines
4.7 KiB
HCL
Raw Blame History

# Enable KV v2 secrets engine
resource "vault_mount" "kv" {
path = "secret"
type = "kv"
options = { version = "2" }
description = "KV Version 2 secret store"
}
# Define all secrets with auto-generation support
locals {
secrets = {
# Example host-specific secrets
# "hosts/monitoring01/grafana-admin" = {
# auto_generate = true
# password_length = 32
# }
# "hosts/ha1/mqtt-password" = {
# auto_generate = true
# password_length = 24
# }
# Example service secrets
# "services/prometheus/remote-write" = {
# auto_generate = true
# password_length = 40
# }
# Example shared secrets with manual values
# "shared/smtp/credentials" = {
# auto_generate = false
# data = {
# username = "notifications@2rjus.net"
# password = var.smtp_password # Define in variables.tf and set in terraform.tfvars
# server = "smtp.gmail.com"
# }
# }
"hosts/monitoring01/grafana-admin" = {
auto_generate = true
password_length = 32
}
"hosts/ha1/mqtt-password" = {
auto_generate = true
password_length = 24
}
# Shared backup password (auto-generated, add alongside existing restic key)
"shared/backup/password" = {
auto_generate = true
password_length = 32
}
# NATS NKey for alerttonotify
"shared/nats/nkey" = {
auto_generate = false
data = { nkey = var.nats_nkey }
}
# PVE exporter config for monitoring01
"hosts/monitoring01/pve-exporter" = {
auto_generate = false
data = { config = var.pve_exporter_config }
}
# DNS zone transfer key
"shared/dns/xfer-key" = {
auto_generate = false
data = { key = var.ns_xfer_key }
}
# WireGuard private key for http-proxy
"hosts/http-proxy/wireguard" = {
auto_generate = false
data = { private_key = var.wireguard_private_key }
}
# Nix cache signing key
"hosts/nix-cache02/cache-secret" = {
auto_generate = false
data = { key = var.cache_signing_key_02 }
}
# Homelab-deploy NKeys
"shared/homelab-deploy/listener-nkey" = {
auto_generate = false
data = { nkey = var.homelab_deploy_listener_nkey }
}
"shared/homelab-deploy/test-deployer-nkey" = {
auto_generate = false
data = { nkey = var.homelab_deploy_test_deployer_nkey }
}
"shared/homelab-deploy/admin-deployer-nkey" = {
auto_generate = false
data = { nkey = var.homelab_deploy_admin_deployer_nkey }
}
"shared/homelab-deploy/builder-nkey" = {
auto_generate = false
data = { nkey = var.homelab_deploy_builder_nkey }
}
"shared/homelab-deploy/scheduler-nkey" = {
auto_generate = false
data = { nkey = var.homelab_deploy_scheduler_nkey }
}
# Garage S3 environment (RPC secret + admin token)
"hosts/garage01/garage" = {
auto_generate = false
data = { env = var.garage_env }
}
# Kanidm idm_admin password
"kanidm/idm-admin-password" = {
auto_generate = true
password_length = 32
}
# Grafana OAuth2 client secret (for Kanidm OIDC)
"services/grafana/oauth2-client-secret" = {
auto_generate = true
password_length = 64
}
# OpenBao OAuth2 client secret (for Kanidm OIDC)
"services/openbao/oauth2-client-secret" = {
auto_generate = true
password_length = 64
}
# NKey for nixos-exporter NATS cache sharing
"shared/nixos-exporter/nkey" = {
auto_generate = false
data = { nkey = var.nixos_exporter_nkey }
}
# Exportarr API keys for media stack monitoring
"services/exportarr/radarr" = {
auto_generate = false
data = { api_key = var.radarr_api_key }
}
"services/exportarr/sonarr" = {
auto_generate = false
data = { api_key = var.sonarr_api_key }
}
# Bearer token for scraping apiary metrics
"hosts/monitoring01/apiary-token" = {
auto_generate = true
password_length = 64
}
}
}
# Auto-generate passwords for secrets with auto_generate = true
resource "random_password" "auto_secrets" {
for_each = {
for k, v in local.secrets : k => v
if lookup(v, "auto_generate", false)
}
length = each.value.password_length
special = true
}
# Create all secrets in Vault
resource "vault_kv_secret_v2" "secrets" {
for_each = local.secrets
mount = vault_mount.kv.path
name = each.key
data_json = jsonencode(
lookup(each.value, "auto_generate", false)
? { password = random_password.auto_secrets[each.key].result }
: each.value.data
)
}
Reference in New Issue View Git Blame Copy Permalink