torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
7933127d77ca71ef8f2940b6ad39da694157d8e9
nixos-servers/terraform/vault/approle.tf
Torjus Håkestad 7933127d77 system: enable homelab-deploy listener for all vault hosts 
Add system/homelab-deploy.nix module that automatically enables the
listener on all hosts with vault.enable=true. Uses homelab.host.tier
and homelab.host.role for NATS subject subscriptions.

- Add homelab-deploy access to all host AppRole policies
- Remove manual listener config from vaulttest01 (now handled by system module)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-07 06:54:42 +01:00

145 lines
3.1 KiB
HCL
Raw Blame History

# Enable AppRole auth backend
resource "vault_auth_backend" "approle" {
type = "approle"
path = "approle"
}
# Define host access policies
locals {
host_policies = {
# Example: monitoring01 host
# "monitoring01" = {
# paths = [
# "secret/data/hosts/monitoring01/*",
# "secret/data/services/prometheus/*",
# "secret/data/services/grafana/*",
# "secret/data/shared/smtp/*"
# ]
# extra_policies = ["some-other-policy"] # Optional: additional policies
# }
# Example: ha1 host
# "ha1" = {
# paths = [
# "secret/data/hosts/ha1/*",
# "secret/data/shared/mqtt/*"
# ]
# }
"ha1" = {
paths = [
"secret/data/hosts/ha1/*",
"secret/data/shared/backup/*",
"secret/data/shared/homelab-deploy/*",
]
}
"monitoring01" = {
paths = [
"secret/data/hosts/monitoring01/*",
"secret/data/shared/backup/*",
"secret/data/shared/nats/*",
"secret/data/shared/homelab-deploy/*",
]
extra_policies = ["prometheus-metrics"]
}
# Wave 1: hosts with no service secrets (only need vault.enable for future use)
"nats1" = {
paths = [
"secret/data/hosts/nats1/*",
"secret/data/shared/homelab-deploy/*",
]
}
"jelly01" = {
paths = [
"secret/data/hosts/jelly01/*",
"secret/data/shared/homelab-deploy/*",
]
}
"pgdb1" = {
paths = [
"secret/data/hosts/pgdb1/*",
"secret/data/shared/homelab-deploy/*",
]
}
# Wave 3: DNS servers
"ns1" = {
paths = [
"secret/data/hosts/ns1/*",
"secret/data/shared/dns/*",
"secret/data/shared/homelab-deploy/*",
]
}
"ns2" = {
paths = [
"secret/data/hosts/ns2/*",
"secret/data/shared/dns/*",
"secret/data/shared/homelab-deploy/*",
]
}
# Wave 4: http-proxy
"http-proxy" = {
paths = [
"secret/data/hosts/http-proxy/*",
"secret/data/shared/homelab-deploy/*",
]
}
# Wave 5: nix-cache01
"nix-cache01" = {
paths = [
"secret/data/hosts/nix-cache01/*",
"secret/data/shared/homelab-deploy/*",
]
}
"vaulttest01" = {
paths = [
"secret/data/hosts/vaulttest01/*",
"secret/data/shared/homelab-deploy/*",
]
}
}
}
# Generate policies for each host
resource "vault_policy" "host_policies" {
for_each = local.host_policies
name = "${each.key}-policy"
policy = <<EOT
%{~for path in each.value.paths~}
path "${path}" {
capabilities = ["read", "list"]
}
%{~endfor~}
EOT
}
# Generate AppRoles for each host
resource "vault_approle_auth_backend_role" "hosts" {
for_each = local.host_policies
backend = vault_auth_backend.approle.path
role_name = each.key
token_policies = concat(
["${each.key}-policy"],
lookup(each.value, "extra_policies", [])
)
# Token configuration
token_ttl = 3600 # 1 hour
token_max_ttl = 86400 # 24 hours
# Security settings
bind_secret_id = true
secret_id_ttl = 0 # Never expire (we'll rotate manually)
}
Reference in New Issue View Git Blame Copy Permalink