Torjus Håkestad
4f593126c0
Remove monitoring01 host configuration and unused service modules (prometheus, grafana, loki, tempo, pyroscope). Migrate blackbox, exportarr, and pve exporters to monitoring02 with scrape configs moved to VictoriaMetrics. Update alert rules, terraform vault policies/secrets, http-proxy entries, and documentation to reflect the monitoring02 migration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
180 lines
4.6 KiB
HCL
180 lines
4.6 KiB
HCL
# Enable KV v2 secrets engine
|
|
resource "vault_mount" "kv" {
|
|
path = "secret"
|
|
type = "kv"
|
|
options = { version = "2" }
|
|
description = "KV Version 2 secret store"
|
|
}
|
|
|
|
# Define all secrets with auto-generation support
|
|
locals {
|
|
secrets = {
|
|
# Example host-specific secrets
|
|
# "hosts/ha1/mqtt-password" = {
|
|
# auto_generate = true
|
|
# password_length = 24
|
|
# }
|
|
|
|
# Example service secrets
|
|
# "services/prometheus/remote-write" = {
|
|
# auto_generate = true
|
|
# password_length = 40
|
|
# }
|
|
|
|
# Example shared secrets with manual values
|
|
# "shared/smtp/credentials" = {
|
|
# auto_generate = false
|
|
# data = {
|
|
# username = "notifications@2rjus.net"
|
|
# password = var.smtp_password # Define in variables.tf and set in terraform.tfvars
|
|
# server = "smtp.gmail.com"
|
|
# }
|
|
# }
|
|
|
|
"hosts/ha1/mqtt-password" = {
|
|
auto_generate = true
|
|
password_length = 24
|
|
}
|
|
|
|
# Shared backup password (auto-generated, add alongside existing restic key)
|
|
"shared/backup/password" = {
|
|
auto_generate = true
|
|
password_length = 32
|
|
}
|
|
|
|
# NATS NKey for alerttonotify
|
|
"shared/nats/nkey" = {
|
|
auto_generate = false
|
|
data = { nkey = var.nats_nkey }
|
|
}
|
|
|
|
# PVE exporter config for monitoring02
|
|
"hosts/monitoring02/pve-exporter" = {
|
|
auto_generate = false
|
|
data = { config = var.pve_exporter_config }
|
|
}
|
|
|
|
# DNS zone transfer key
|
|
"shared/dns/xfer-key" = {
|
|
auto_generate = false
|
|
data = { key = var.ns_xfer_key }
|
|
}
|
|
|
|
# WireGuard private key for http-proxy
|
|
"hosts/http-proxy/wireguard" = {
|
|
auto_generate = false
|
|
data = { private_key = var.wireguard_private_key }
|
|
}
|
|
|
|
# Nix cache signing key
|
|
"hosts/nix-cache02/cache-secret" = {
|
|
auto_generate = false
|
|
data = { key = var.cache_signing_key_02 }
|
|
}
|
|
|
|
# Homelab-deploy NKeys
|
|
"shared/homelab-deploy/listener-nkey" = {
|
|
auto_generate = false
|
|
data = { nkey = var.homelab_deploy_listener_nkey }
|
|
}
|
|
|
|
"shared/homelab-deploy/test-deployer-nkey" = {
|
|
auto_generate = false
|
|
data = { nkey = var.homelab_deploy_test_deployer_nkey }
|
|
}
|
|
|
|
"shared/homelab-deploy/admin-deployer-nkey" = {
|
|
auto_generate = false
|
|
data = { nkey = var.homelab_deploy_admin_deployer_nkey }
|
|
}
|
|
|
|
"shared/homelab-deploy/builder-nkey" = {
|
|
auto_generate = false
|
|
data = { nkey = var.homelab_deploy_builder_nkey }
|
|
}
|
|
|
|
"shared/homelab-deploy/scheduler-nkey" = {
|
|
auto_generate = false
|
|
data = { nkey = var.homelab_deploy_scheduler_nkey }
|
|
}
|
|
|
|
# Garage S3 environment (RPC secret + admin token)
|
|
"hosts/garage01/garage" = {
|
|
auto_generate = false
|
|
data = { env = var.garage_env }
|
|
}
|
|
|
|
# Kanidm idm_admin password
|
|
"kanidm/idm-admin-password" = {
|
|
auto_generate = true
|
|
password_length = 32
|
|
}
|
|
|
|
# Grafana OAuth2 client secret (for Kanidm OIDC)
|
|
"services/grafana/oauth2-client-secret" = {
|
|
auto_generate = true
|
|
password_length = 64
|
|
}
|
|
|
|
# OpenBao OAuth2 client secret (for Kanidm OIDC)
|
|
"services/openbao/oauth2-client-secret" = {
|
|
auto_generate = true
|
|
password_length = 64
|
|
}
|
|
|
|
# NKey for nixos-exporter NATS cache sharing
|
|
"shared/nixos-exporter/nkey" = {
|
|
auto_generate = false
|
|
data = { nkey = var.nixos_exporter_nkey }
|
|
}
|
|
|
|
# Exportarr API keys for media stack monitoring
|
|
"services/exportarr/radarr" = {
|
|
auto_generate = false
|
|
data = { api_key = var.radarr_api_key }
|
|
}
|
|
|
|
"services/exportarr/sonarr" = {
|
|
auto_generate = false
|
|
data = { api_key = var.sonarr_api_key }
|
|
}
|
|
|
|
# Bearer token for scraping apiary metrics
|
|
"hosts/monitoring02/apiary-token" = {
|
|
auto_generate = true
|
|
password_length = 64
|
|
}
|
|
|
|
# Loki push authentication (used by Promtail on all hosts)
|
|
"shared/loki/push-auth" = {
|
|
auto_generate = true
|
|
password_length = 32
|
|
}
|
|
}
|
|
}
|
|
|
|
# Auto-generate passwords for secrets with auto_generate = true
|
|
resource "random_password" "auto_secrets" {
|
|
for_each = {
|
|
for k, v in local.secrets : k => v
|
|
if lookup(v, "auto_generate", false)
|
|
}
|
|
|
|
length = each.value.password_length
|
|
special = true
|
|
}
|
|
|
|
# Create all secrets in Vault
|
|
resource "vault_kv_secret_v2" "secrets" {
|
|
for_each = local.secrets
|
|
|
|
mount = vault_mount.kv.path
|
|
name = each.key
|
|
|
|
data_json = jsonencode(
|
|
lookup(each.value, "auto_generate", false)
|
|
? { password = random_password.auto_secrets[each.key].result }
|
|
: each.value.data
|
|
)
|
|
}
|