nixos-servers/terraform/vault/hosts-generated.tf

# WARNING: Auto-generated by create-host tool
# Manual edits will be overwritten when create-host is run

# Generated host policies
# Each host gets access to its own secrets under hosts/<hostname>/*
locals {
  generated_host_policies = {
    "testvm01" = {
      paths = [
        "secret/data/hosts/testvm01/*",
      ]
    }
    "testvm02" = {
      paths = [
        "secret/data/hosts/testvm02/*",
      ]
    }
    "testvm03" = {
      paths = [
        "secret/data/hosts/testvm03/*",
      ]
    }
    "ns2" = {
      paths = [
        "secret/data/hosts/ns2/*",
        "secret/data/shared/dns/*",
      ]
    }
    "ns1" = {
      paths = [
        "secret/data/hosts/ns1/*",
        "secret/data/shared/dns/*",
        "secret/data/shared/homelab-deploy/*",
      ]
    }
    "nix-cache02" = {
      paths = [
        "secret/data/hosts/nix-cache02/*",
        "secret/data/shared/homelab-deploy/*",
      ]
    }
    "garage01" = {
      paths = [
        "secret/data/hosts/garage01/*",
      ]
    }
    "monitoring02" = {
      paths = [
        "secret/data/hosts/monitoring02/*",
        "secret/data/hosts/monitoring01/apiary-token",
        "secret/data/services/grafana/*",
        "secret/data/shared/nats/nkey",
      ]
      extra_policies = ["prometheus-metrics"]
    }

  }

  # Placeholder secrets - user should add actual secrets manually or via tofu
  generated_secrets = {
  }
}

# Create policies for generated hosts
resource "vault_policy" "generated_host_policies" {
  for_each = local.generated_host_policies

  name = "host-${each.key}"

  policy = <<-EOT
    # Allow host to read its own secrets
    %{for path in each.value.paths~}
    path "${path}" {
      capabilities = ["read", "list"]
    }
    %{endfor~}
  EOT
}

# Create AppRoles for generated hosts
resource "vault_approle_auth_backend_role" "generated_hosts" {
  for_each = local.generated_host_policies

  backend            = vault_auth_backend.approle.path
  role_name          = each.key
  token_policies     = concat(
    ["host-${each.key}", "homelab-deploy", "nixos-exporter", "loki-push"],
    lookup(each.value, "extra_policies", [])
  )
  secret_id_ttl      = 0 # Never expire (wrapped tokens provide time limit)
  token_ttl          = 3600
  token_max_ttl      = 3600
  secret_id_num_uses = 0 # Unlimited uses
}