nixos-servers/terraform/vault/secrets.tf

# Enable KV v2 secrets engine
resource "vault_mount" "kv" {
  path        = "secret"
  type        = "kv"
  options     = { version = "2" }
  description = "KV Version 2 secret store"
}

# Define all secrets with auto-generation support
locals {
  secrets = {
    # Example host-specific secrets
    # "hosts/monitoring01/grafana-admin" = {
    #   auto_generate   = true
    #   password_length = 32
    # }
    # "hosts/ha1/mqtt-password" = {
    #   auto_generate   = true
    #   password_length = 24
    # }

    # Example service secrets
    # "services/prometheus/remote-write" = {
    #   auto_generate   = true
    #   password_length = 40
    # }

    # Example shared secrets with manual values
    # "shared/smtp/credentials" = {
    #   auto_generate = false
    #   data = {
    #     username = "notifications@2rjus.net"
    #     password = var.smtp_password  # Define in variables.tf and set in terraform.tfvars
    #     server   = "smtp.gmail.com"
    #   }
    # }

    "hosts/monitoring01/grafana-admin" = {
      auto_generate   = true
      password_length = 32
    }

    "hosts/ha1/mqtt-password" = {
      auto_generate   = true
      password_length = 24
    }

    # TODO: Remove after testing
    "hosts/vaulttest01/test-service" = {
      auto_generate   = true
      password_length = 32
    }

    # Shared backup password (auto-generated, add alongside existing restic key)
    "shared/backup/password" = {
      auto_generate   = true
      password_length = 32
    }

    # NATS NKey for alerttonotify
    "shared/nats/nkey" = {
      auto_generate = false
      data          = { nkey = var.nats_nkey }
    }

    # PVE exporter config for monitoring01
    "hosts/monitoring01/pve-exporter" = {
      auto_generate = false
      data          = { config = var.pve_exporter_config }
    }

    # DNS zone transfer key
    "shared/dns/xfer-key" = {
      auto_generate = false
      data          = { key = var.ns_xfer_key }
    }

    # WireGuard private key for http-proxy
    "hosts/http-proxy/wireguard" = {
      auto_generate = false
      data          = { private_key = var.wireguard_private_key }
    }

    # Nix cache signing key
    "hosts/nix-cache01/cache-secret" = {
      auto_generate = false
      data          = { key = var.cache_signing_key }
    }

    # Gitea Actions runner token
    "hosts/nix-cache01/actions-token" = {
      auto_generate = false
      data          = { token = var.actions_token_1 }
    }
  }
}

# Auto-generate passwords for secrets with auto_generate = true
resource "random_password" "auto_secrets" {
  for_each = {
    for k, v in local.secrets : k => v
    if lookup(v, "auto_generate", false)
  }

  length  = each.value.password_length
  special = true
}

# Create all secrets in Vault
resource "vault_kv_secret_v2" "secrets" {
  for_each = local.secrets

  mount = vault_mount.kv.path
  name  = each.key

  data_json = jsonencode(
    lookup(each.value, "auto_generate", false)
    ? { password = random_password.auto_secrets[each.key].result }
    : each.value.data
  )
}