Torjus Håkestad
536daee4c7
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
- Remove hosts/template/ (legacy template1) and give each legacy host its own hardware-configuration.nix copy - Recreate ns2 using create-host with template2 base - Add secondary DNS services (NSD + Unbound resolver) - Configure Vault policy for shared DNS secrets - Fix create-host IP uniqueness validator to check CIDR notation (prevents false positives from DNS resolver entries) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
141 lines
2.9 KiB
HCL
141 lines
2.9 KiB
HCL
# Enable AppRole auth backend
|
|
resource "vault_auth_backend" "approle" {
|
|
type = "approle"
|
|
path = "approle"
|
|
}
|
|
|
|
# Shared policy for homelab-deploy (all hosts need this for NATS-based deployments)
|
|
resource "vault_policy" "homelab_deploy" {
|
|
name = "homelab-deploy"
|
|
|
|
policy = <<EOT
|
|
path "secret/data/shared/homelab-deploy/*" {
|
|
capabilities = ["read", "list"]
|
|
}
|
|
EOT
|
|
}
|
|
|
|
# Define host access policies
|
|
locals {
|
|
host_policies = {
|
|
# Example: monitoring01 host
|
|
# "monitoring01" = {
|
|
# paths = [
|
|
# "secret/data/hosts/monitoring01/*",
|
|
# "secret/data/services/prometheus/*",
|
|
# "secret/data/services/grafana/*",
|
|
# "secret/data/shared/smtp/*"
|
|
# ]
|
|
# extra_policies = ["some-other-policy"] # Optional: additional policies
|
|
# }
|
|
|
|
# Example: ha1 host
|
|
# "ha1" = {
|
|
# paths = [
|
|
# "secret/data/hosts/ha1/*",
|
|
# "secret/data/shared/mqtt/*"
|
|
# ]
|
|
# }
|
|
|
|
"ha1" = {
|
|
paths = [
|
|
"secret/data/hosts/ha1/*",
|
|
"secret/data/shared/backup/*",
|
|
]
|
|
}
|
|
|
|
"monitoring01" = {
|
|
paths = [
|
|
"secret/data/hosts/monitoring01/*",
|
|
"secret/data/shared/backup/*",
|
|
"secret/data/shared/nats/*",
|
|
]
|
|
extra_policies = ["prometheus-metrics"]
|
|
}
|
|
|
|
# Wave 1: hosts with no service secrets (only need vault.enable for future use)
|
|
"nats1" = {
|
|
paths = [
|
|
"secret/data/hosts/nats1/*",
|
|
]
|
|
}
|
|
|
|
"jelly01" = {
|
|
paths = [
|
|
"secret/data/hosts/jelly01/*",
|
|
]
|
|
}
|
|
|
|
"pgdb1" = {
|
|
paths = [
|
|
"secret/data/hosts/pgdb1/*",
|
|
]
|
|
}
|
|
|
|
# Wave 3: DNS servers
|
|
"ns1" = {
|
|
paths = [
|
|
"secret/data/hosts/ns1/*",
|
|
"secret/data/shared/dns/*",
|
|
]
|
|
}
|
|
|
|
# Wave 4: http-proxy
|
|
"http-proxy" = {
|
|
paths = [
|
|
"secret/data/hosts/http-proxy/*",
|
|
]
|
|
}
|
|
|
|
# Wave 5: nix-cache01
|
|
"nix-cache01" = {
|
|
paths = [
|
|
"secret/data/hosts/nix-cache01/*",
|
|
]
|
|
}
|
|
|
|
# vault01: Vault server itself (fetches secrets from itself)
|
|
"vault01" = {
|
|
paths = [
|
|
"secret/data/hosts/vault01/*",
|
|
]
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
# Generate policies for each host
|
|
resource "vault_policy" "host_policies" {
|
|
for_each = local.host_policies
|
|
|
|
name = "${each.key}-policy"
|
|
|
|
policy = <<EOT
|
|
%{~for path in each.value.paths~}
|
|
path "${path}" {
|
|
capabilities = ["read", "list"]
|
|
}
|
|
%{~endfor~}
|
|
EOT
|
|
}
|
|
|
|
# Generate AppRoles for each host
|
|
resource "vault_approle_auth_backend_role" "hosts" {
|
|
for_each = local.host_policies
|
|
|
|
backend = vault_auth_backend.approle.path
|
|
role_name = each.key
|
|
token_policies = concat(
|
|
["${each.key}-policy", "homelab-deploy"],
|
|
lookup(each.value, "extra_policies", [])
|
|
)
|
|
|
|
# Token configuration
|
|
token_ttl = 3600 # 1 hour
|
|
token_max_ttl = 86400 # 24 hours
|
|
|
|
# Security settings
|
|
bind_secret_id = true
|
|
secret_id_ttl = 0 # Never expire (we'll rotate manually)
|
|
}
|