mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-12-12 18:01:59 +01:00
109 lines
2.8 KiB
Nix
109 lines
2.8 KiB
Nix
{ config, pkgs, lib, tflib, ... }:
|
|
let
|
|
cfg = config.prefab.pushApproles;
|
|
inherit (lib)
|
|
mkOption
|
|
mdDoc
|
|
types
|
|
mapAttrsToList
|
|
mkMerge
|
|
flip
|
|
;
|
|
|
|
inherit (tflib)
|
|
tf
|
|
;
|
|
metadataType = pkgs.formats.json {};
|
|
submoduleOptions = {
|
|
policies = mkOption {
|
|
description = mdDoc ''
|
|
Vault policies added to the approle generated.
|
|
'';
|
|
type = with types; listOf str;
|
|
default = [];
|
|
};
|
|
|
|
host = mkOption {
|
|
description = mdDoc ''
|
|
The address of the machine, either IP address, domain name or any other identificator accepted by `ssh`.
|
|
'';
|
|
type = types.str;
|
|
};
|
|
|
|
user = mkOption {
|
|
description = mdDoc ''
|
|
The user to connect as.
|
|
'';
|
|
type = types.str;
|
|
};
|
|
|
|
metadata = mkOption {
|
|
description = mdDoc ''
|
|
'';
|
|
type = metadataType.type;
|
|
default = {};
|
|
};
|
|
|
|
approlePath = mkOption {
|
|
description = mdDoc ''
|
|
'';
|
|
type = types.str;
|
|
};
|
|
};
|
|
in
|
|
{
|
|
options.prefab.pushApproles = mkOption {
|
|
description = ''
|
|
'';
|
|
type = with types; attrsOf (submodule { options = submoduleOptions; });
|
|
default = {};
|
|
};
|
|
|
|
config.resource = mkMerge
|
|
(flip mapAttrsToList cfg (hostname: value:
|
|
{
|
|
"vault_approle_auth_backend_role"."system-${hostname}" = {
|
|
backend = value.approlePath;
|
|
role_name = hostname;
|
|
token_policies = value.policies;
|
|
};
|
|
|
|
"vault_approle_auth_backend_role_secret_id"."system-${hostname}" = {
|
|
backend = value.approlePath;
|
|
role_name = tf "vault_approle_auth_backend_role.system-${hostname}.role_name";
|
|
|
|
metadata = builtins.toJSON value.metadata;
|
|
};
|
|
|
|
"null_resource"."approles-${hostname}" = {
|
|
triggers = {
|
|
secret_id = tf "vault_approle_auth_backend_role_secret_id.system-${hostname}.secret_id";
|
|
role_id = tf "data.vault_approle_auth_backend_role_id.system-${hostname}.role_id";
|
|
};
|
|
|
|
connection = {
|
|
inherit (value)
|
|
host
|
|
user;
|
|
};
|
|
|
|
provisioner = {
|
|
"remote-exec" = {
|
|
inline = [
|
|
"echo \${nonsensitive(vault_approle_auth_backend_role_secret_id.system-${hostname}.secret_id)} > /var/secrets/approle.secretid"
|
|
"echo \${data.vault_approle_auth_backend_role_id.system-${hostname}.role_id} > /var/secrets/approle.roleid"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}));
|
|
|
|
config.data = mkMerge
|
|
(flip mapAttrsToList cfg (hostname: value:
|
|
{
|
|
"vault_approle_auth_backend_role_id"."system-${hostname}" = {
|
|
backend = value.approlePath;
|
|
role_name = tf "vault_approle_auth_backend_role.system-${hostname}.role_name";
|
|
};
|
|
}));
|
|
}
|