Torjus Håkestad
0a28c5f495
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
Add vault secrets for Radarr and Sonarr API keys to enable exportarr metrics collection on monitoring01. - services/exportarr/radarr - Radarr API key - services/exportarr/sonarr - Sonarr API key - Grant monitoring01 access to services/exportarr/* Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
159 lines
3.4 KiB
HCL
159 lines
3.4 KiB
HCL
# Enable AppRole auth backend
|
|
resource "vault_auth_backend" "approle" {
|
|
type = "approle"
|
|
path = "approle"
|
|
}
|
|
|
|
# Shared policy for homelab-deploy (all hosts need this for NATS-based deployments)
|
|
resource "vault_policy" "homelab_deploy" {
|
|
name = "homelab-deploy"
|
|
|
|
policy = <<EOT
|
|
path "secret/data/shared/homelab-deploy/*" {
|
|
capabilities = ["read", "list"]
|
|
}
|
|
EOT
|
|
}
|
|
|
|
# Shared policy for nixos-exporter NATS cache sharing
|
|
resource "vault_policy" "nixos_exporter" {
|
|
name = "nixos-exporter"
|
|
|
|
policy = <<EOT
|
|
path "secret/data/shared/nixos-exporter/*" {
|
|
capabilities = ["read", "list"]
|
|
}
|
|
EOT
|
|
}
|
|
|
|
# Define host access policies
|
|
locals {
|
|
host_policies = {
|
|
# Example: monitoring01 host
|
|
# "monitoring01" = {
|
|
# paths = [
|
|
# "secret/data/hosts/monitoring01/*",
|
|
# "secret/data/services/prometheus/*",
|
|
# "secret/data/services/grafana/*",
|
|
# "secret/data/shared/smtp/*"
|
|
# ]
|
|
# extra_policies = ["some-other-policy"] # Optional: additional policies
|
|
# }
|
|
|
|
# Example: ha1 host
|
|
# "ha1" = {
|
|
# paths = [
|
|
# "secret/data/hosts/ha1/*",
|
|
# "secret/data/shared/mqtt/*"
|
|
# ]
|
|
# }
|
|
|
|
"ha1" = {
|
|
paths = [
|
|
"secret/data/hosts/ha1/*",
|
|
"secret/data/shared/backup/*",
|
|
]
|
|
}
|
|
|
|
"monitoring01" = {
|
|
paths = [
|
|
"secret/data/hosts/monitoring01/*",
|
|
"secret/data/shared/backup/*",
|
|
"secret/data/shared/nats/*",
|
|
"secret/data/services/exportarr/*",
|
|
]
|
|
extra_policies = ["prometheus-metrics"]
|
|
}
|
|
|
|
# Wave 1: hosts with no service secrets (only need vault.enable for future use)
|
|
"nats1" = {
|
|
paths = [
|
|
"secret/data/hosts/nats1/*",
|
|
]
|
|
}
|
|
|
|
"jelly01" = {
|
|
paths = [
|
|
"secret/data/hosts/jelly01/*",
|
|
]
|
|
}
|
|
|
|
# Wave 3: DNS servers
|
|
|
|
# Wave 4: http-proxy
|
|
"http-proxy" = {
|
|
paths = [
|
|
"secret/data/hosts/http-proxy/*",
|
|
]
|
|
}
|
|
|
|
# Wave 5: nix-cache01
|
|
"nix-cache01" = {
|
|
paths = [
|
|
"secret/data/hosts/nix-cache01/*",
|
|
]
|
|
}
|
|
|
|
# vault01: Vault server itself (fetches secrets from itself)
|
|
"vault01" = {
|
|
paths = [
|
|
"secret/data/hosts/vault01/*",
|
|
]
|
|
}
|
|
|
|
# kanidm01: Kanidm identity provider
|
|
"kanidm01" = {
|
|
paths = [
|
|
"secret/data/hosts/kanidm01/*",
|
|
"secret/data/kanidm/*",
|
|
"secret/data/services/grafana/*",
|
|
"secret/data/services/openbao/*",
|
|
]
|
|
}
|
|
|
|
# monitoring02: Grafana test instance
|
|
"monitoring02" = {
|
|
paths = [
|
|
"secret/data/hosts/monitoring02/*",
|
|
"secret/data/services/grafana/*",
|
|
]
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
# Generate policies for each host
|
|
resource "vault_policy" "host_policies" {
|
|
for_each = local.host_policies
|
|
|
|
name = "${each.key}-policy"
|
|
|
|
policy = <<EOT
|
|
%{~for path in each.value.paths~}
|
|
path "${path}" {
|
|
capabilities = ["read", "list"]
|
|
}
|
|
%{~endfor~}
|
|
EOT
|
|
}
|
|
|
|
# Generate AppRoles for each host
|
|
resource "vault_approle_auth_backend_role" "hosts" {
|
|
for_each = local.host_policies
|
|
|
|
backend = vault_auth_backend.approle.path
|
|
role_name = each.key
|
|
token_policies = concat(
|
|
["${each.key}-policy", "homelab-deploy", "nixos-exporter"],
|
|
lookup(each.value, "extra_policies", [])
|
|
)
|
|
|
|
# Token configuration
|
|
token_ttl = 3600 # 1 hour
|
|
token_max_ttl = 86400 # 24 hours
|
|
|
|
# Security settings
|
|
bind_secret_id = true
|
|
secret_id_ttl = 0 # Never expire (we'll rotate manually)
|
|
}
|