nixos-servers/terraform/vault/policies.tf

# Generic policies for services (not host-specific)

resource "vault_policy" "prometheus_metrics" {
  name = "prometheus-metrics"
  policy = <<EOT
path "sys/metrics" {
  capabilities = ["read"]
}
EOT
}

# Long-lived token for Prometheus to scrape OpenBao metrics
resource "vault_token" "prometheus_metrics" {
  policies  = [vault_policy.prometheus_metrics.name]
  ttl       = "8760h" # 1 year
  renewable = true

  metadata = {
    purpose = "prometheus-metrics-scraping"
  }
}