nixos-servers/terraform/vault/secrets.tf

# Enable KV v2 secrets engine
resource "vault_mount" "kv" {
  path        = "secret"
  type        = "kv"
  options     = { version = "2" }
  description = "KV Version 2 secret store"
}

# Define all secrets with auto-generation support
locals {
  secrets = {
    # Example host-specific secrets
    # "hosts/monitoring01/grafana-admin" = {
    #   auto_generate   = true
    #   password_length = 32
    # }
    # "hosts/ha1/mqtt-password" = {
    #   auto_generate   = true
    #   password_length = 24
    # }

    # Example service secrets
    # "services/prometheus/remote-write" = {
    #   auto_generate   = true
    #   password_length = 40
    # }

    # Example shared secrets with manual values
    # "shared/smtp/credentials" = {
    #   auto_generate = false
    #   data = {
    #     username = "notifications@2rjus.net"
    #     password = var.smtp_password  # Define in variables.tf and set in terraform.tfvars
    #     server   = "smtp.gmail.com"
    #   }
    # }

    # TODO: actually use the secret
    "hosts/monitoring01/grafana-admin" = {
      auto_generate   = true
      password_length = 32
    }

    # TODO: actually use the secret
    "hosts/ha1/mqtt-password" = {
      auto_generate   = true
      password_length = 24
    }
    # TODO: Remove after testing
    "hosts/vaulttest01/test-service" = {
      auto_generate   = true
      password_length = 32
    }
  }
}

# Auto-generate passwords for secrets with auto_generate = true
resource "random_password" "auto_secrets" {
  for_each = {
    for k, v in local.secrets : k => v
    if lookup(v, "auto_generate", false)
  }

  length  = each.value.password_length
  special = true
}

# Create all secrets in Vault
resource "vault_kv_secret_v2" "secrets" {
  for_each = local.secrets

  mount = vault_mount.kv.path
  name  = each.key

  data_json = jsonencode(
    lookup(each.value, "auto_generate", false)
    ? { password = random_password.auto_secrets[each.key].result }
    : each.value.data
  )
}