Torjus Håkestad
ccb1c3fe2e
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m19s
Remove backup_helper_secret variable and switch shared/backup/password to auto_generate. New password will be added alongside existing restic repository key. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
122 lines
3.0 KiB
HCL
122 lines
3.0 KiB
HCL
# Enable KV v2 secrets engine
|
|
resource "vault_mount" "kv" {
|
|
path = "secret"
|
|
type = "kv"
|
|
options = { version = "2" }
|
|
description = "KV Version 2 secret store"
|
|
}
|
|
|
|
# Define all secrets with auto-generation support
|
|
locals {
|
|
secrets = {
|
|
# Example host-specific secrets
|
|
# "hosts/monitoring01/grafana-admin" = {
|
|
# auto_generate = true
|
|
# password_length = 32
|
|
# }
|
|
# "hosts/ha1/mqtt-password" = {
|
|
# auto_generate = true
|
|
# password_length = 24
|
|
# }
|
|
|
|
# Example service secrets
|
|
# "services/prometheus/remote-write" = {
|
|
# auto_generate = true
|
|
# password_length = 40
|
|
# }
|
|
|
|
# Example shared secrets with manual values
|
|
# "shared/smtp/credentials" = {
|
|
# auto_generate = false
|
|
# data = {
|
|
# username = "notifications@2rjus.net"
|
|
# password = var.smtp_password # Define in variables.tf and set in terraform.tfvars
|
|
# server = "smtp.gmail.com"
|
|
# }
|
|
# }
|
|
|
|
"hosts/monitoring01/grafana-admin" = {
|
|
auto_generate = true
|
|
password_length = 32
|
|
}
|
|
|
|
"hosts/ha1/mqtt-password" = {
|
|
auto_generate = true
|
|
password_length = 24
|
|
}
|
|
|
|
# TODO: Remove after testing
|
|
"hosts/vaulttest01/test-service" = {
|
|
auto_generate = true
|
|
password_length = 32
|
|
}
|
|
|
|
# Shared backup password (auto-generated, add alongside existing restic key)
|
|
"shared/backup/password" = {
|
|
auto_generate = true
|
|
password_length = 32
|
|
}
|
|
|
|
# NATS NKey for alerttonotify
|
|
"shared/nats/nkey" = {
|
|
auto_generate = false
|
|
data = { nkey = var.nats_nkey }
|
|
}
|
|
|
|
# PVE exporter config for monitoring01
|
|
"hosts/monitoring01/pve-exporter" = {
|
|
auto_generate = false
|
|
data = { config = var.pve_exporter_config }
|
|
}
|
|
|
|
# DNS zone transfer key
|
|
"shared/dns/xfer-key" = {
|
|
auto_generate = false
|
|
data = { key = var.ns_xfer_key }
|
|
}
|
|
|
|
# WireGuard private key for http-proxy
|
|
"hosts/http-proxy/wireguard" = {
|
|
auto_generate = false
|
|
data = { private_key = var.wireguard_private_key }
|
|
}
|
|
|
|
# Nix cache signing key
|
|
"hosts/nix-cache01/cache-secret" = {
|
|
auto_generate = false
|
|
data = { key = var.cache_signing_key }
|
|
}
|
|
|
|
# Gitea Actions runner token
|
|
"hosts/nix-cache01/actions-token" = {
|
|
auto_generate = false
|
|
data = { token = var.actions_token_1 }
|
|
}
|
|
}
|
|
}
|
|
|
|
# Auto-generate passwords for secrets with auto_generate = true
|
|
resource "random_password" "auto_secrets" {
|
|
for_each = {
|
|
for k, v in local.secrets : k => v
|
|
if lookup(v, "auto_generate", false)
|
|
}
|
|
|
|
length = each.value.password_length
|
|
special = true
|
|
}
|
|
|
|
# Create all secrets in Vault
|
|
resource "vault_kv_secret_v2" "secrets" {
|
|
for_each = local.secrets
|
|
|
|
mount = vault_mount.kv.path
|
|
name = each.key
|
|
|
|
data_json = jsonencode(
|
|
lookup(each.value, "auto_generate", false)
|
|
? { password = random_password.auto_secrets[each.key].result }
|
|
: each.value.data
|
|
)
|
|
}
|