torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
c13921d302d4b044129bc5fbcf912abca3aea449
nixos-servers/terraform/vault/approle.tf
Torjus Håkestad c13921d302
Some checks failed
Run nix flake check / flake-check (push) Failing after 4m36s
Details
loki: add basic auth for log push and dual-ship promtail 
- Loki bound to localhost, Caddy reverse proxy with basic_auth
- Vault secret (shared/loki/push-auth) for password, bcrypt hash
  generated at boot for Caddy environment
- Promtail dual-ships to monitoring01 (direct) and loki.home.2rjus.net
  (with basic auth), conditional on vault.enable
- Terraform: new shared loki-push policy added to all AppRoles

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-17 20:00:08 +01:00

164 lines
3.5 KiB
HCL
Raw Blame History

# Enable AppRole auth backend
resource "vault_auth_backend" "approle" {
type = "approle"
path = "approle"
}
# Shared policy for homelab-deploy (all hosts need this for NATS-based deployments)
resource "vault_policy" "homelab_deploy" {
name = "homelab-deploy"
policy = <<EOT
path "secret/data/shared/homelab-deploy/*" {
capabilities = ["read", "list"]
}
EOT
}
# Shared policy for nixos-exporter NATS cache sharing
resource "vault_policy" "nixos_exporter" {
name = "nixos-exporter"
policy = <<EOT
path "secret/data/shared/nixos-exporter/*" {
capabilities = ["read", "list"]
}
EOT
}
# Shared policy for Loki push authentication (all hosts push logs)
resource "vault_policy" "loki_push" {
name = "loki-push"
policy = <<EOT
path "secret/data/shared/loki/*" {
capabilities = ["read", "list"]
}
EOT
}
# Define host access policies
locals {
host_policies = {
# Example: monitoring01 host
# "monitoring01" = {
# paths = [
# "secret/data/hosts/monitoring01/*",
# "secret/data/services/prometheus/*",
# "secret/data/services/grafana/*",
# "secret/data/shared/smtp/*"
# ]
# extra_policies = ["some-other-policy"] # Optional: additional policies
# }
# Example: ha1 host
# "ha1" = {
# paths = [
# "secret/data/hosts/ha1/*",
# "secret/data/shared/mqtt/*"
# ]
# }
"ha1" = {
paths = [
"secret/data/hosts/ha1/*",
"secret/data/shared/backup/*",
]
}
"monitoring01" = {
paths = [
"secret/data/hosts/monitoring01/*",
"secret/data/shared/backup/*",
"secret/data/shared/nats/*",
"secret/data/services/exportarr/*",
]
extra_policies = ["prometheus-metrics"]
}
# Wave 1: hosts with no service secrets (only need vault.enable for future use)
"nats1" = {
paths = [
"secret/data/hosts/nats1/*",
]
}
"jelly01" = {
paths = [
"secret/data/hosts/jelly01/*",
]
}
# Wave 3: DNS servers
# Wave 4: http-proxy
"http-proxy" = {
paths = [
"secret/data/hosts/http-proxy/*",
]
}
# vault01: Vault server itself (fetches secrets from itself)
"vault01" = {
paths = [
"secret/data/hosts/vault01/*",
]
}
# kanidm01: Kanidm identity provider
"kanidm01" = {
paths = [
"secret/data/hosts/kanidm01/*",
"secret/data/kanidm/*",
"secret/data/services/grafana/*",
"secret/data/services/openbao/*",
]
}
# monitoring02: Grafana + VictoriaMetrics
"monitoring02" = {
paths = [
"secret/data/hosts/monitoring02/*",
"secret/data/hosts/monitoring01/apiary-token",
"secret/data/services/grafana/*",
]
}
}
}
# Generate policies for each host
resource "vault_policy" "host_policies" {
for_each = local.host_policies
name = "${each.key}-policy"
policy = <<EOT
%{~for path in each.value.paths~}
path "${path}" {
capabilities = ["read", "list"]
}
%{~endfor~}
EOT
}
# Generate AppRoles for each host
resource "vault_approle_auth_backend_role" "hosts" {
for_each = local.host_policies
backend = vault_auth_backend.approle.path
role_name = each.key
token_policies = concat(
["${each.key}-policy", "homelab-deploy", "nixos-exporter", "loki-push"],
lookup(each.value, "extra_policies", [])
)
# Token configuration
token_ttl = 3600 # 1 hour
token_max_ttl = 86400 # 24 hours
# Security settings
bind_secret_id = true
secret_id_ttl = 0 # Never expire (we'll rotate manually)
}
Reference in New Issue View Git Blame Copy Permalink