2024-03-02 22:05:30 +01:00
|
|
|
{
|
|
|
|
tflib,
|
|
|
|
config,
|
|
|
|
secret,
|
|
|
|
...
|
|
|
|
}: let
|
|
|
|
inherit
|
|
|
|
(tflib)
|
|
|
|
tf
|
|
|
|
;
|
2023-06-15 23:04:14 +02:00
|
|
|
|
|
|
|
paths.consul = {
|
|
|
|
encryption_key = "homelab-1/blowhole/consul/encryption_key";
|
|
|
|
agent_token = "homelab-1/blowhole/consul/agent_token";
|
|
|
|
anonymous_token = "homelab-1/blowhole/consul/anonymous_token";
|
|
|
|
};
|
|
|
|
|
|
|
|
paths.nomad = {
|
|
|
|
encryption_key = "homelab-1/blowhole/nomad/encryption_key";
|
|
|
|
vault_token = "homelab-1/blowhole/nomad/vault_token";
|
|
|
|
consul_token = "homelab-1/blowhole/nomad/consul_token";
|
|
|
|
};
|
|
|
|
|
|
|
|
vaultKvMount = config.resource."vault_mount"."kv".path;
|
|
|
|
vaultConsulMount = config.resource."vault_consul_secret_backend"."consul".path;
|
2024-03-02 22:05:30 +01:00
|
|
|
in {
|
2023-06-15 23:04:14 +02:00
|
|
|
prefab.consulAgent."blowhole" = {
|
|
|
|
datacenter = "homelab-1";
|
|
|
|
|
|
|
|
inherit vaultKvMount;
|
|
|
|
|
|
|
|
paths = {
|
|
|
|
encryptionKey = paths.consul.encryption_key;
|
|
|
|
agentToken = paths.consul.agent_token;
|
|
|
|
anonymousToken = paths.consul.anonymous_token;
|
|
|
|
};
|
|
|
|
encryptionKey = tf "random_id.homelab-1_consul_encryption_key.b64_std";
|
|
|
|
|
|
|
|
anonymousToken = {
|
|
|
|
secret = tf "data.consul_acl_token_secret_id.anonymous.secret_id";
|
|
|
|
accessor = tf "consul_acl_token.anonymous.id";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
prefab.nomadServer."blowhole" = {
|
2024-03-02 22:05:30 +01:00
|
|
|
datacenters = ["homelab-1"];
|
2023-06-15 23:04:14 +02:00
|
|
|
|
|
|
|
inherit vaultKvMount;
|
|
|
|
|
|
|
|
encryptionKey = tf "random_id.nomad_encryption_key.b64_std";
|
|
|
|
|
|
|
|
paths = {
|
|
|
|
encryptionKey = paths.nomad.encryption_key;
|
|
|
|
vaultToken = paths.nomad.vault_token;
|
|
|
|
consulToken = paths.nomad.consul_token;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-10-07 22:28:48 +02:00
|
|
|
# path "${vaultConsulMount}/creds/${tf "module.blowhole.envoy_grafana.name"}" {
|
|
|
|
# capabilities = ["read"]
|
|
|
|
# }
|
|
|
|
|
|
|
|
# path "${vaultConsulMount}/creds/${tf "module.blowhole.envoy_blowhole.name"}" {
|
|
|
|
# capabilities = ["read"]
|
|
|
|
# }
|
|
|
|
|
2023-06-15 23:04:14 +02:00
|
|
|
resource."vault_policy"."vault-agent-blowhole" = {
|
|
|
|
name = "blowhole-id_ed_camera";
|
|
|
|
|
|
|
|
policy = ''
|
|
|
|
path "${vaultKvMount}/data/homelab-1/blowhole/id_ed_camera" {
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
|
2023-06-28 14:24:21 +02:00
|
|
|
path "${vaultKvMount}/data/homelab-1/blowhole/kodi_samba.cred" {
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
|
2023-06-15 23:04:14 +02:00
|
|
|
path "${vaultKvMount}/data/homelab-1/blowhole/hostapd/wpa_psk" {
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
|
2024-04-06 16:15:47 +02:00
|
|
|
path "${vaultConsulMount}/creds/${tf "vault_consul_secret_backend_role.envoy-klipper.name"}" {
|
2023-06-15 23:04:14 +02:00
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
|
|
|
|
path "${vaultKvMount}/data/homelab-1/blowhole/monitor/telegraf" {
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
|
|
|
|
path "${vaultKvMount}/data/homelab-1/blowhole/monitor/grafana" {
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
2023-09-03 18:01:40 +02:00
|
|
|
|
|
|
|
path "${vaultKvMount}/data/homelab-1/blowhole/monitor/itp" {
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
2024-04-21 19:38:47 +02:00
|
|
|
|
|
|
|
path "${vaultKvMount}/data/cluster/buildbot/buildbot" {
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
2023-06-15 23:04:14 +02:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
prefab.pushApproles."blowhole" = {
|
|
|
|
host = secret.network.ips.blowhole.ip or "";
|
|
|
|
user = "main";
|
|
|
|
|
|
|
|
policies = [
|
|
|
|
config.resource."vault_policy"."blowhole_consul".name
|
|
|
|
config.resource."vault_policy"."blowhole_nomad".name
|
|
|
|
config.resource."vault_policy"."pki_inra_update".name
|
|
|
|
config.resource."vault_policy"."vault-agent-blowhole".name
|
|
|
|
];
|
|
|
|
|
|
|
|
metadata = {
|
|
|
|
"ip_address" = "blowhole.in.redalder.org";
|
|
|
|
};
|
|
|
|
|
|
|
|
approlePath = tf "vault_auth_backend.approle.path";
|
|
|
|
};
|
|
|
|
}
|