dotfiles/terranix/main/blowhole.nix

123 lines
3.2 KiB
Nix
Raw Normal View History

{
tflib,
config,
secret,
...
}: let
inherit
(tflib)
tf
;
paths.consul = {
encryption_key = "homelab-1/blowhole/consul/encryption_key";
agent_token = "homelab-1/blowhole/consul/agent_token";
anonymous_token = "homelab-1/blowhole/consul/anonymous_token";
};
paths.nomad = {
encryption_key = "homelab-1/blowhole/nomad/encryption_key";
vault_token = "homelab-1/blowhole/nomad/vault_token";
consul_token = "homelab-1/blowhole/nomad/consul_token";
};
vaultKvMount = config.resource."vault_mount"."kv".path;
vaultConsulMount = config.resource."vault_consul_secret_backend"."consul".path;
in {
prefab.consulAgent."blowhole" = {
datacenter = "homelab-1";
inherit vaultKvMount;
paths = {
encryptionKey = paths.consul.encryption_key;
agentToken = paths.consul.agent_token;
anonymousToken = paths.consul.anonymous_token;
};
encryptionKey = tf "random_id.homelab-1_consul_encryption_key.b64_std";
anonymousToken = {
secret = tf "data.consul_acl_token_secret_id.anonymous.secret_id";
accessor = tf "consul_acl_token.anonymous.id";
};
};
prefab.nomadServer."blowhole" = {
datacenters = ["homelab-1"];
inherit vaultKvMount;
encryptionKey = tf "random_id.nomad_encryption_key.b64_std";
paths = {
encryptionKey = paths.nomad.encryption_key;
vaultToken = paths.nomad.vault_token;
consulToken = paths.nomad.consul_token;
};
};
# path "${vaultConsulMount}/creds/${tf "module.blowhole.envoy_grafana.name"}" {
# capabilities = ["read"]
# }
# path "${vaultConsulMount}/creds/${tf "module.blowhole.envoy_blowhole.name"}" {
# capabilities = ["read"]
# }
resource."vault_policy"."vault-agent-blowhole" = {
name = "blowhole-id_ed_camera";
policy = ''
path "${vaultKvMount}/data/homelab-1/blowhole/id_ed_camera" {
capabilities = ["read"]
}
path "${vaultKvMount}/data/homelab-1/blowhole/kodi_samba.cred" {
capabilities = ["read"]
}
path "${vaultKvMount}/data/homelab-1/blowhole/hostapd/wpa_psk" {
capabilities = ["read"]
}
path "${vaultConsulMount}/creds/${tf "vault_consul_secret_backend_role.envoy-klipper.name"}" {
capabilities = ["read"]
}
path "${vaultKvMount}/data/homelab-1/blowhole/monitor/telegraf" {
capabilities = ["read"]
}
path "${vaultKvMount}/data/homelab-1/blowhole/monitor/grafana" {
capabilities = ["read"]
}
path "${vaultKvMount}/data/homelab-1/blowhole/monitor/itp" {
capabilities = ["read"]
}
path "${vaultKvMount}/data/cluster/buildbot/buildbot" {
capabilities = ["read"]
}
'';
};
prefab.pushApproles."blowhole" = {
host = secret.network.ips.blowhole.ip or "";
user = "main";
policies = [
config.resource."vault_policy"."blowhole_consul".name
config.resource."vault_policy"."blowhole_nomad".name
config.resource."vault_policy"."pki_inra_update".name
config.resource."vault_policy"."vault-agent-blowhole".name
];
metadata = {
"ip_address" = "blowhole.in.redalder.org";
};
approlePath = tf "vault_auth_backend.approle.path";
};
}