{ tflib, config, secret, ... }: let inherit (tflib) tf ; paths.consul = { encryption_key = "homelab-1/blowhole/consul/encryption_key"; agent_token = "homelab-1/blowhole/consul/agent_token"; anonymous_token = "homelab-1/blowhole/consul/anonymous_token"; }; paths.nomad = { encryption_key = "homelab-1/blowhole/nomad/encryption_key"; vault_token = "homelab-1/blowhole/nomad/vault_token"; consul_token = "homelab-1/blowhole/nomad/consul_token"; }; vaultKvMount = config.resource."vault_mount"."kv".path; vaultConsulMount = config.resource."vault_consul_secret_backend"."consul".path; in { prefab.consulAgent."blowhole" = { datacenter = "homelab-1"; inherit vaultKvMount; paths = { encryptionKey = paths.consul.encryption_key; agentToken = paths.consul.agent_token; anonymousToken = paths.consul.anonymous_token; }; encryptionKey = tf "random_id.homelab-1_consul_encryption_key.b64_std"; anonymousToken = { secret = tf "data.consul_acl_token_secret_id.anonymous.secret_id"; accessor = tf "consul_acl_token.anonymous.id"; }; }; prefab.nomadServer."blowhole" = { datacenters = ["homelab-1"]; inherit vaultKvMount; encryptionKey = tf "random_id.nomad_encryption_key.b64_std"; paths = { encryptionKey = paths.nomad.encryption_key; vaultToken = paths.nomad.vault_token; consulToken = paths.nomad.consul_token; }; }; # path "${vaultConsulMount}/creds/${tf "module.blowhole.envoy_grafana.name"}" { # capabilities = ["read"] # } # path "${vaultConsulMount}/creds/${tf "module.blowhole.envoy_blowhole.name"}" { # capabilities = ["read"] # } resource."vault_policy"."vault-agent-blowhole" = { name = "blowhole-id_ed_camera"; policy = '' path "${vaultKvMount}/data/homelab-1/blowhole/id_ed_camera" { capabilities = ["read"] } path "${vaultKvMount}/data/homelab-1/blowhole/kodi_samba.cred" { capabilities = ["read"] } path "${vaultKvMount}/data/homelab-1/blowhole/hostapd/wpa_psk" { capabilities = ["read"] } path "${vaultConsulMount}/creds/${tf "module.blowhole.envoy_klipper.name"}" { capabilities = ["read"] } path "${vaultKvMount}/data/homelab-1/blowhole/monitor/telegraf" { capabilities = ["read"] } path "${vaultKvMount}/data/homelab-1/blowhole/monitor/grafana" { capabilities = ["read"] } path "${vaultKvMount}/data/homelab-1/blowhole/monitor/itp" { capabilities = ["read"] } ''; }; prefab.pushApproles."blowhole" = { host = secret.network.ips.blowhole.ip or ""; user = "main"; policies = [ config.resource."vault_policy"."blowhole_consul".name config.resource."vault_policy"."blowhole_nomad".name config.resource."vault_policy"."pki_inra_update".name config.resource."vault_policy"."vault-agent-blowhole".name ]; metadata = { "ip_address" = "blowhole.in.redalder.org"; }; approlePath = tf "vault_auth_backend.approle.path"; }; }