nixos-servers/terraform/vault/approle.tf

# Enable AppRole auth backend
resource "vault_auth_backend" "approle" {
  type = "approle"
  path = "approle"
}

# Shared policy for homelab-deploy (all hosts need this for NATS-based deployments)
resource "vault_policy" "homelab_deploy" {
  name = "homelab-deploy"

  policy = <<EOT
path "secret/data/shared/homelab-deploy/*" {
  capabilities = ["read", "list"]
}
EOT
}

# Shared policy for nixos-exporter NATS cache sharing
resource "vault_policy" "nixos_exporter" {
  name = "nixos-exporter"

  policy = <<EOT
path "secret/data/shared/nixos-exporter/*" {
  capabilities = ["read", "list"]
}
EOT
}

# Shared policy for Loki push authentication (all hosts push logs)
resource "vault_policy" "loki_push" {
  name = "loki-push"

  policy = <<EOT
path "secret/data/shared/loki/*" {
  capabilities = ["read", "list"]
}
EOT
}

# Define host access policies
locals {
  host_policies = {
    # Example:
    # "ha1" = {
    #   paths = [
    #     "secret/data/hosts/ha1/*",
    #     "secret/data/shared/mqtt/*"
    #   ]
    #   extra_policies = ["some-other-policy"]  # Optional: additional policies
    # }

    "ha1" = {
      paths = [
        "secret/data/hosts/ha1/*",
        "secret/data/shared/backup/*",
      ]
    }

    # Wave 1: hosts with no service secrets (only need vault.enable for future use)
    "nats1" = {
      paths = [
        "secret/data/hosts/nats1/*",
      ]
    }

    "jelly01" = {
      paths = [
        "secret/data/hosts/jelly01/*",
      ]
    }

    # Wave 3: DNS servers (managed in hosts-generated.tf)

    # Wave 4: http-proxy
    "http-proxy" = {
      paths = [
        "secret/data/hosts/http-proxy/*",
      ]
    }

    # vault01: Vault server itself (fetches secrets from itself)
    "vault01" = {
      paths = [
        "secret/data/hosts/vault01/*",
      ]
    }

    # kanidm01: Kanidm identity provider
    "kanidm01" = {
      paths = [
        "secret/data/hosts/kanidm01/*",
        "secret/data/kanidm/*",
        "secret/data/services/grafana/*",
        "secret/data/services/openbao/*",
      ]
    }

  }
}

# Generate policies for each host
resource "vault_policy" "host_policies" {
  for_each = local.host_policies

  name = "${each.key}-policy"

  policy = <<EOT
%{~for path in each.value.paths~}
path "${path}" {
  capabilities = ["read", "list"]
}
%{~endfor~}
EOT
}

# Generate AppRoles for each host
resource "vault_approle_auth_backend_role" "hosts" {
  for_each = local.host_policies

  backend   = vault_auth_backend.approle.path
  role_name = each.key
  token_policies = concat(
    ["${each.key}-policy", "homelab-deploy", "nixos-exporter", "loki-push"],
    lookup(each.value, "extra_policies", [])
  )

  # Token configuration
  token_ttl     = 3600  # 1 hour
  token_max_ttl = 86400 # 24 hours

  # Security settings
  bind_secret_id = true
  secret_id_ttl  = 0 # Never expire (we'll rotate manually)
}