dotfiles/terranix/default.nix
Magic_RB 30ba25f277
Enable InfluxDB provider and provision Grafana
Signed-off-by: Magic_RB <magic_rb@redalder.org>
2023-05-02 14:41:55 +02:00

148 lines
3.6 KiB
Nix

{ config, tflib, lib, ... }:
let
paths.toothpick.consul = {
encryption_key = "do-1/toothpick/consul/encryption_key";
agent_token = "do-1/toothpick/consul/agent_token";
anonymous_token = "do-1/toothpick/consul/anonymous_token";
replication_token = "do-1/toothpick/consul/replication_token";
};
paths.toothpick.nomad = {
encryption_key = "do-1/toothpick/nomad/encryption_key";
vault_token = "do-1/toothpick/nomad/vault_token";
consul_token = "do-1/toothpick/nomad/consul_token";
replication_token = "do-1/toothpick/nomad/replication_token";
};
inherit (tflib)
tf
;
inherit (lib)
singleton
;
in
{
provider."vault" = {
address = "https://vault.in.redalder.org:8200";
};
provider."consul" = {
address = "http://10.64.2.1:8500";
};
provider."nomad" = {
address = "http://10.64.2.1:4646";
};
provider."influxdb-v2" = {
url = "http://influx.in.redalder.org";
};
imports = [
./modules/push_approles.nix
./modules/consul_agent.nix
./modules/nomad_server.nix
./pki.nix
./blowhole.nix
./toothpick.nix
];
terraform.backend."consul" = {
address = "10.64.2.1:8500";
scheme = "http";
path = "terraform/dotfiles";
};
terraform.required_providers = {
influxdb-v2 = {
source = "MagicRB/influxdb-v2";
};
};
resource."vault_auth_backend"."approle" = {
type = "approle";
tune = singleton {
max_lease_ttl = "90000s";
listing_visibility = "unauth";
allowed_response_headers = null;
audit_non_hmac_request_keys = null;
audit_non_hmac_response_keys = null;
default_lease_ttl = null;
passthrough_request_headers = null;
token_type = null;
};
};
resource."vault_mount"."kv" = {
path = "kv";
type = "kv";
options.version = "2";
description = "KV Version 2 secret engine mount";
};
resource."vault_kv_secret_backend_v2"."config" = {
mount = config.resource."vault_mount"."kv".path;
max_versions = 5;
};
resource."consul_acl_token"."vault_management_token" = {
description = "Vault management token";
policies = ["global-management"];
local = false;
};
data."consul_acl_token_secret_id"."vault_management_token" = {
accessor_id = tf "consul_acl_token.vault_management_token.id";
};
resource."vault_consul_secret_backend"."consul" = {
path = "consul";
description = "Manages the Consul backend";
address = "10.64.2.1:8500";
token = tf "data.consul_acl_token_secret_id.vault_management_token.secret_id";
};
resource."vault_token_auth_backend_role"."nomad_cluster" = {
role_name = "nomad-cluster";
disallowed_policies = ["nomad-server"];
orphan = true;
token_period = "259200";
renewable = true;
token_explicit_max_ttl = "0";
};
resource."random_id"."nomad_encryption_key" = {
byte_length = 32;
};
resource."random_id"."homelab-1_consul_encryption_key" = {
byte_length = 32;
};
resource."random_id"."do-1_consul_encryption_key" = {
byte_length = 32;
};
resource."consul_acl_policy"."anonymous" = {
name = "consul-anonymous";
rules = ''
service_prefix "" { policy = "read" }
node_prefix "" { policy = "read" }
'';
};
resource."consul_acl_token"."anonymous" = {
description = "Consul anonymous token";
policies = [
config.resource.consul_acl_policy.anonymous.name
];
local = false;
};
data."consul_acl_token_secret_id"."anonymous" = {
accessor_id = tf "consul_acl_token.anonymous.id";
};
}