nixos-servers/terraform/vault/policies.tf

# Generic policies for services (not host-specific)

resource "vault_policy" "prometheus_metrics" {
  name   = "prometheus-metrics"
  policy = <<EOT
path "sys/metrics" {
  capabilities = ["read"]
}
EOT
}

# OIDC admin policy - full read/write to all secrets
resource "vault_policy" "oidc_admin" {
  name = "oidc-admin"

  policy = <<EOT
# Full access to KV secrets
path "secret/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

# Read system health and metrics
path "sys/health" {
  capabilities = ["read"]
}

path "sys/metrics" {
  capabilities = ["read"]
}

# List auth methods and mounts
path "sys/auth" {
  capabilities = ["read"]
}

path "sys/mounts" {
  capabilities = ["read"]
}
EOT
}

# OIDC default policy - minimal access for authenticated users
resource "vault_policy" "oidc_default" {
  name = "oidc-default"

  policy = <<EOT
# Read own token info
path "auth/token/lookup-self" {
  capabilities = ["read"]
}

# Read system health
path "sys/health" {
  capabilities = ["read"]
}
EOT
}