Torjus Håkestad
6184f4cbbb
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
- Switch vmalert from blackhole mode to sending alerts to local Alertmanager - Import alerttonotify service so alerts route to NATS notifications - Move alertmanager and grafana CNAMEs from http-proxy to monitoring02 - Add monitoring CNAME to monitoring02 - Add Caddy reverse proxy entries for alertmanager and grafana - Remove prometheus, alertmanager, and grafana Caddy entries from http-proxy (now served directly by monitoring02) - Move monitoring02 Vault AppRole to hosts-generated.tf with extra_policies support and prometheus-metrics policy - Update Promtail to use authenticated loki.home.2rjus.net endpoint only (remove unauthenticated monitoring01 client) - Update pipe-to-loki and bootstrap to use loki.home.2rjus.net with basic auth from Vault secret - Update migration plan with current status Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
155 lines
3.3 KiB
HCL
155 lines
3.3 KiB
HCL
# Enable AppRole auth backend
|
|
resource "vault_auth_backend" "approle" {
|
|
type = "approle"
|
|
path = "approle"
|
|
}
|
|
|
|
# Shared policy for homelab-deploy (all hosts need this for NATS-based deployments)
|
|
resource "vault_policy" "homelab_deploy" {
|
|
name = "homelab-deploy"
|
|
|
|
policy = <<EOT
|
|
path "secret/data/shared/homelab-deploy/*" {
|
|
capabilities = ["read", "list"]
|
|
}
|
|
EOT
|
|
}
|
|
|
|
# Shared policy for nixos-exporter NATS cache sharing
|
|
resource "vault_policy" "nixos_exporter" {
|
|
name = "nixos-exporter"
|
|
|
|
policy = <<EOT
|
|
path "secret/data/shared/nixos-exporter/*" {
|
|
capabilities = ["read", "list"]
|
|
}
|
|
EOT
|
|
}
|
|
|
|
# Shared policy for Loki push authentication (all hosts push logs)
|
|
resource "vault_policy" "loki_push" {
|
|
name = "loki-push"
|
|
|
|
policy = <<EOT
|
|
path "secret/data/shared/loki/*" {
|
|
capabilities = ["read", "list"]
|
|
}
|
|
EOT
|
|
}
|
|
|
|
# Define host access policies
|
|
locals {
|
|
host_policies = {
|
|
# Example: monitoring01 host
|
|
# "monitoring01" = {
|
|
# paths = [
|
|
# "secret/data/hosts/monitoring01/*",
|
|
# "secret/data/services/prometheus/*",
|
|
# "secret/data/services/grafana/*",
|
|
# "secret/data/shared/smtp/*"
|
|
# ]
|
|
# extra_policies = ["some-other-policy"] # Optional: additional policies
|
|
# }
|
|
|
|
# Example: ha1 host
|
|
# "ha1" = {
|
|
# paths = [
|
|
# "secret/data/hosts/ha1/*",
|
|
# "secret/data/shared/mqtt/*"
|
|
# ]
|
|
# }
|
|
|
|
"ha1" = {
|
|
paths = [
|
|
"secret/data/hosts/ha1/*",
|
|
"secret/data/shared/backup/*",
|
|
]
|
|
}
|
|
|
|
"monitoring01" = {
|
|
paths = [
|
|
"secret/data/hosts/monitoring01/*",
|
|
"secret/data/shared/backup/*",
|
|
"secret/data/shared/nats/*",
|
|
"secret/data/services/exportarr/*",
|
|
]
|
|
extra_policies = ["prometheus-metrics"]
|
|
}
|
|
|
|
# Wave 1: hosts with no service secrets (only need vault.enable for future use)
|
|
"nats1" = {
|
|
paths = [
|
|
"secret/data/hosts/nats1/*",
|
|
]
|
|
}
|
|
|
|
"jelly01" = {
|
|
paths = [
|
|
"secret/data/hosts/jelly01/*",
|
|
]
|
|
}
|
|
|
|
# Wave 3: DNS servers (managed in hosts-generated.tf)
|
|
|
|
# Wave 4: http-proxy
|
|
"http-proxy" = {
|
|
paths = [
|
|
"secret/data/hosts/http-proxy/*",
|
|
]
|
|
}
|
|
|
|
# vault01: Vault server itself (fetches secrets from itself)
|
|
"vault01" = {
|
|
paths = [
|
|
"secret/data/hosts/vault01/*",
|
|
]
|
|
}
|
|
|
|
# kanidm01: Kanidm identity provider
|
|
"kanidm01" = {
|
|
paths = [
|
|
"secret/data/hosts/kanidm01/*",
|
|
"secret/data/kanidm/*",
|
|
"secret/data/services/grafana/*",
|
|
"secret/data/services/openbao/*",
|
|
]
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
# Generate policies for each host
|
|
resource "vault_policy" "host_policies" {
|
|
for_each = local.host_policies
|
|
|
|
name = "${each.key}-policy"
|
|
|
|
policy = <<EOT
|
|
%{~for path in each.value.paths~}
|
|
path "${path}" {
|
|
capabilities = ["read", "list"]
|
|
}
|
|
%{~endfor~}
|
|
EOT
|
|
}
|
|
|
|
# Generate AppRoles for each host
|
|
resource "vault_approle_auth_backend_role" "hosts" {
|
|
for_each = local.host_policies
|
|
|
|
backend = vault_auth_backend.approle.path
|
|
role_name = each.key
|
|
token_policies = concat(
|
|
["${each.key}-policy", "homelab-deploy", "nixos-exporter", "loki-push"],
|
|
lookup(each.value, "extra_policies", [])
|
|
)
|
|
|
|
# Token configuration
|
|
token_ttl = 3600 # 1 hour
|
|
token_max_ttl = 86400 # 24 hours
|
|
|
|
# Security settings
|
|
bind_secret_id = true
|
|
secret_id_ttl = 0 # Never expire (we'll rotate manually)
|
|
}
|