dotfiles/terranix/blowhole.nix

{ tflib, config, secret, ... }:
let
  inherit (tflib)
    tf;

  paths.consul = {
    encryption_key = "homelab-1/blowhole/consul/encryption_key";
    agent_token = "homelab-1/blowhole/consul/agent_token";
    anonymous_token = "homelab-1/blowhole/consul/anonymous_token";
  };

  paths.nomad = {
    encryption_key = "homelab-1/blowhole/nomad/encryption_key";
    vault_token = "homelab-1/blowhole/nomad/vault_token";
    consul_token = "homelab-1/blowhole/nomad/consul_token";
  };

  vaultKvMount = config.resource."vault_mount"."kv".path;
  vaultConsulMount = config.resource."vault_consul_secret_backend"."consul".path;
in
{
  prefab.consulAgent."blowhole" = {
    datacenter = "homelab-1";

    inherit vaultKvMount;

    paths = {
      encryptionKey = paths.consul.encryption_key;
      agentToken = paths.consul.agent_token;
      anonymousToken = paths.consul.anonymous_token;
    };
    encryptionKey = tf "random_id.homelab-1_consul_encryption_key.b64_std";

    anonymousToken = {
      secret = tf "data.consul_acl_token_secret_id.anonymous.secret_id";
      accessor = tf "consul_acl_token.anonymous.id";
    };
  };

  prefab.nomadServer."blowhole" = {
    datacenters = [ "homelab-1" ];

    inherit vaultKvMount;

    encryptionKey = tf "random_id.nomad_encryption_key.b64_std";

    paths = {
      encryptionKey = paths.nomad.encryption_key;
      vaultToken = paths.nomad.vault_token;
      consulToken = paths.nomad.consul_token;
    };
  };

  # path "${vaultConsulMount}/creds/${tf "module.blowhole.envoy_grafana.name"}" {
  #   capabilities = ["read"]
  # }

  # path "${vaultConsulMount}/creds/${tf "module.blowhole.envoy_blowhole.name"}" {
  #   capabilities = ["read"]
  # }

  resource."vault_policy"."vault-agent-blowhole" = {
    name = "blowhole-id_ed_camera";

    policy = ''
      path "${vaultKvMount}/data/homelab-1/blowhole/id_ed_camera" {
        capabilities = ["read"]
      }

      path "${vaultKvMount}/data/homelab-1/blowhole/kodi_samba.cred" {
        capabilities = ["read"]
      }

      path "${vaultKvMount}/data/homelab-1/blowhole/hostapd/wpa_psk" {
        capabilities = ["read"]
      }

      path "${vaultConsulMount}/creds/${tf "module.blowhole.envoy_klipper.name"}" {
        capabilities = ["read"]
      }

      path "${vaultKvMount}/data/homelab-1/blowhole/monitor/telegraf" {
        capabilities = ["read"]
      }

      path "${vaultKvMount}/data/homelab-1/blowhole/monitor/grafana" {
        capabilities = ["read"]
      }

      path "${vaultKvMount}/data/homelab-1/blowhole/monitor/itp" {
        capabilities = ["read"]
      }
    '';
  };

  prefab.pushApproles."blowhole" = {
    host = secret.network.ips.blowhole.ip or "";
    user = "main";

    policies = [
      config.resource."vault_policy"."blowhole_consul".name
      config.resource."vault_policy"."blowhole_nomad".name
      config.resource."vault_policy"."pki_inra_update".name
      config.resource."vault_policy"."vault-agent-blowhole".name
    ];

    metadata = {
      "ip_address" = "blowhole.in.redalder.org";
    };

    approlePath = tf "vault_auth_backend.approle.path";
  };
}