mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-12-12 18:01:59 +01:00
aff0158ef7
Signed-off-by: magic_rb <magic_rb@redalder.org>
119 lines
2.8 KiB
Nix
119 lines
2.8 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
tflib,
|
|
...
|
|
}: let
|
|
cfg = config.prefab.pushApproles;
|
|
inherit
|
|
(lib)
|
|
mkOption
|
|
mdDoc
|
|
types
|
|
mapAttrsToList
|
|
mkMerge
|
|
flip
|
|
;
|
|
|
|
inherit
|
|
(tflib)
|
|
tf
|
|
;
|
|
metadataType = pkgs.formats.json {};
|
|
submoduleOptions = {
|
|
policies = mkOption {
|
|
description = mdDoc ''
|
|
Vault policies added to the approle generated.
|
|
'';
|
|
type = with types; listOf str;
|
|
default = [];
|
|
};
|
|
|
|
host = mkOption {
|
|
description = mdDoc ''
|
|
The address of the machine, either IP address, domain name or any other identificator accepted by `ssh`.
|
|
'';
|
|
type = types.str;
|
|
};
|
|
|
|
user = mkOption {
|
|
description = mdDoc ''
|
|
The user to connect as.
|
|
'';
|
|
type = types.str;
|
|
};
|
|
|
|
metadata = mkOption {
|
|
description =
|
|
mdDoc ''
|
|
'';
|
|
type = metadataType.type;
|
|
default = {};
|
|
};
|
|
|
|
approlePath = mkOption {
|
|
description =
|
|
mdDoc ''
|
|
'';
|
|
type = types.str;
|
|
};
|
|
};
|
|
in {
|
|
options.prefab.pushApproles = mkOption {
|
|
description = ''
|
|
'';
|
|
type = with types; attrsOf (submodule {options = submoduleOptions;});
|
|
default = {};
|
|
};
|
|
|
|
config.resource =
|
|
mkMerge
|
|
(flip mapAttrsToList cfg (hostname: value: {
|
|
"vault_approle_auth_backend_role"."system-${hostname}" = {
|
|
backend = value.approlePath;
|
|
role_name = hostname;
|
|
token_policies = value.policies;
|
|
};
|
|
|
|
"vault_approle_auth_backend_role_secret_id"."system-${hostname}" = {
|
|
backend = value.approlePath;
|
|
role_name = tf "vault_approle_auth_backend_role.system-${hostname}.role_name";
|
|
|
|
metadata = builtins.toJSON value.metadata;
|
|
};
|
|
|
|
"null_resource"."approles-${hostname}" = {
|
|
triggers = {
|
|
secret_id = tf "vault_approle_auth_backend_role_secret_id.system-${hostname}.secret_id";
|
|
role_id = tf "data.vault_approle_auth_backend_role_id.system-${hostname}.role_id";
|
|
};
|
|
|
|
connection = {
|
|
inherit
|
|
(value)
|
|
host
|
|
user
|
|
;
|
|
};
|
|
|
|
provisioner = {
|
|
"remote-exec" = {
|
|
inline = [
|
|
"echo \${nonsensitive(vault_approle_auth_backend_role_secret_id.system-${hostname}.secret_id)} > /var/secrets/approle.secretid"
|
|
"echo \${data.vault_approle_auth_backend_role_id.system-${hostname}.role_id} > /var/secrets/approle.roleid"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}));
|
|
|
|
config.data =
|
|
mkMerge
|
|
(flip mapAttrsToList cfg (hostname: value: {
|
|
"vault_approle_auth_backend_role_id"."system-${hostname}" = {
|
|
backend = value.approlePath;
|
|
role_name = tf "vault_approle_auth_backend_role.system-${hostname}.role_name";
|
|
};
|
|
}));
|
|
}
|