{ config, elib, tflib, lib, pkgs, ... }: let paths.toothpick.consul = { encryption_key = "do-1/toothpick/consul/encryption_key"; agent_token = "do-1/toothpick/consul/agent_token"; anonymous_token = "do-1/toothpick/consul/anonymous_token"; replication_token = "do-1/toothpick/consul/replication_token"; }; paths.toothpick.nomad = { encryption_key = "do-1/toothpick/nomad/encryption_key"; vault_token = "do-1/toothpick/nomad/vault_token"; consul_token = "do-1/toothpick/nomad/consul_token"; replication_token = "do-1/toothpick/nomad/replication_token"; }; inherit (tflib) tf ; inherit (lib) singleton ; in { provider."vault" = { address = "https://vault.in.redalder.org:8200"; }; provider."consul" = { address = "http://consul.in.redalder.org:8500"; }; provider."nomad" = { address = "http://nomad.in.redalder.org:4646"; }; # provider."influxdb-v2" = { # url = "http://influx.in.redalder.org"; # }; variable."hcloud_token" = { sensitive = true; }; provider."hcloud" = { token = tf "var.hcloud_token"; }; module."syncthing" = elib.terraformModule { name = "syncthing"; source = ./containers/syncthing; }; module."website" = elib.terraformModule { name = "website"; source = ./containers/website; }; module."hydra" = elib.terraformModule { name = "hydra"; source = ./containers/hydra; }; module."matrix" = elib.terraformModule { name = "matrix"; source = ./containers/matrix; }; module."jellyfin" = elib.terraformModule { name = "jellyfin"; source = ./containers/jellyfin; }; # module."gitea" = elib.terraformModule { # name = "gitea"; # source = ./containers/gitea; # }; module."home-assistant" = elib.terraformModule { name = "home-assistant"; source = ./containers/home-assistant; }; module."ingress-blowhole" = elib.terraformModule { name = "ingress-blowhole"; source = ./containers/ingress-blowhole; }; module."ingress-toothpick" = elib.terraformModule { name = "ingress-toothpick"; source = ./containers/ingress-toothpick; }; module."gateway-mesh" = elib.terraformModule { name = "gateway-mesh"; source = ./containers/gateway-mesh; }; module."nfs-csi" = elib.terraformModule { name = "nfs-csi"; source = ./containers/nfs-csi; }; # module."minecraft-vanilla" = elib.terraformModule { # name = "nfs-csi"; # source = ./containers/minecraft/vanilla; # }; # module."minecraft-ftb-infinity" = elib.terraformModule { # name = "nfs-csi"; # source = ./containers/minecraft/ftb-infinity; # }; # module."minecraft-ftb-integrations" = elib.terraformModule { # name = "nfs-csi"; # source = ./containers/minecraft/ftb-integrations; # }; imports = [ ./lib ./modules/push_approles.nix ./modules/consul_agent.nix ./modules/nomad_server.nix ./pki.nix ./blowhole.nix ./toothpick.nix ./altra.nix ]; terraform.backend."consul" = { address = "consul.in.redalder.org:8500"; scheme = "http"; path = "terraform/dotfiles"; }; # terraform.required_providers = { # hcloud.source = "hetznercloud/hcloud"; # influxdb-v2.source = "MagicRB/influxdb-v2"; # }; resource."vault_auth_backend"."approle" = { type = "approle"; tune = singleton { max_lease_ttl = "90000s"; listing_visibility = "unauth"; allowed_response_headers = null; audit_non_hmac_request_keys = null; audit_non_hmac_response_keys = null; default_lease_ttl = null; passthrough_request_headers = null; token_type = null; }; }; resource."vault_mount"."kv" = { path = "kv"; type = "kv"; options.version = "2"; description = "KV Version 2 secret engine mount"; }; resource."vault_kv_secret_backend_v2"."config" = { mount = config.resource."vault_mount"."kv".path; max_versions = 5; }; resource."consul_acl_token"."vault_management_token" = { description = "Vault management token"; policies = ["global-management"]; local = false; }; data."consul_acl_token_secret_id"."vault_management_token" = { accessor_id = tf "consul_acl_token.vault_management_token.id"; }; resource."vault_consul_secret_backend"."consul" = { path = "consul"; description = "Manages the Consul backend"; address = "consul.in.redalder.org:8500"; token = tf "data.consul_acl_token_secret_id.vault_management_token.secret_id"; }; resource."vault_token_auth_backend_role"."nomad_cluster" = { role_name = "nomad-cluster"; disallowed_policies = ["nomad-server"]; orphan = true; token_period = "259200"; renewable = true; token_explicit_max_ttl = "0"; }; resource."random_id"."nomad_encryption_key" = { byte_length = 32; }; resource."random_id"."homelab-1_consul_encryption_key" = { byte_length = 32; }; resource."random_id"."do-1_consul_encryption_key" = { byte_length = 32; }; resource."consul_acl_policy"."anonymous" = { name = "consul-anonymous"; rules = '' service_prefix "" { policy = "read" } node_prefix "" { policy = "read" } ''; }; resource."consul_acl_token"."anonymous" = { description = "Consul anonymous token"; policies = [ config.resource.consul_acl_policy.anonymous.name ]; local = false; }; data."consul_acl_token_secret_id"."anonymous" = { accessor_id = tf "consul_acl_token.anonymous.id"; }; }