magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-12-03 21:46:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
dotfiles/terranix/main/modules/push_approles.nix
magic_rb 4a29b6d8d3
Move terranix config into terranix/main 
Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-04-07 10:45:07 +02:00

120 lines
2.8 KiB
Nix
Raw Blame History

{
config,
pkgs,
lib,
tflib,
...
}: let
cfg = config.prefab.pushApproles;
inherit
(lib)
mkOption
mdDoc
types
mapAttrsToList
mkMerge
flip
;
inherit
(tflib)
tf
;
metadataType = pkgs.formats.json {};
submoduleOptions = {
policies = mkOption {
description = mdDoc ''
Vault policies added to the approle generated.
'';
type = with types; listOf str;
default = [];
};
host = mkOption {
description = mdDoc ''
The address of the machine, either IP address, domain name or any other identificator accepted by `ssh`.
'';
type = types.str;
};
user = mkOption {
description = mdDoc ''
The user to connect as.
'';
type = types.str;
};
metadata = mkOption {
description =
mdDoc ''
'';
type = metadataType.type;
default = {};
};
approlePath = mkOption {
description =
mdDoc ''
'';
type = types.str;
};
};
in {
options.prefab.pushApproles = mkOption {
description = ''
'';
type = with types; attrsOf (submodule {options = submoduleOptions;});
default = {};
};
config.resource =
mkMerge
(flip mapAttrsToList cfg (hostname: value: {
"vault_approle_auth_backend_role"."system-${hostname}" = {
backend = value.approlePath;
role_name = hostname;
token_policies = value.policies;
};
"vault_approle_auth_backend_role_secret_id"."system-${hostname}" = {
backend = value.approlePath;
role_name = tf "vault_approle_auth_backend_role.system-${hostname}.role_name";
metadata = builtins.toJSON value.metadata;
};
"null_resource"."approles-${hostname}" = {
triggers = {
secret_id = tf "vault_approle_auth_backend_role_secret_id.system-${hostname}.secret_id";
role_id = tf "data.vault_approle_auth_backend_role_id.system-${hostname}.role_id";
};
connection = {
inherit
(value)
host
user
;
};
provisioner = {
"remote-exec" = {
inline = [
"echo \${nonsensitive(vault_approle_auth_backend_role_secret_id.system-${hostname}.secret_id)} > /var/secrets/approle.secretid"
"echo \${data.vault_approle_auth_backend_role_id.system-${hostname}.role_id} > /var/secrets/approle.roleid"
];
};
};
};
}));
config.data =
mkMerge
(flip mapAttrsToList cfg (hostname: value: {
"vault_approle_auth_backend_role_id"."system-${hostname}" = {
backend = value.approlePath;
role_name = tf "vault_approle_auth_backend_role.system-${hostname}.role_name";
};
}));
}
Reference in a new issue View git blame Copy permalink