depot/ops/vault/cfg/config.nix

{ lib, config, ... }:

{
  imports = [
    ./policies-raw.nix
    ./policies-app.nix

    ./authbackend-approle.nix
    ./authbackend-oidc.nix
    ./authbackend-authentik.nix

    ./ssh-ca-client.nix
    ./ssh-ca-server.nix

    ./servers.nix

    ./acme-ca.nix

    ./lukegbcom-deployer.nix
    ./binary-cache-deployer.nix
  ];

  terraform = {
    backend.gcs = {
      bucket = "lukegb-terraform-state";
      prefix = "depot/vault";
    };

    required_providers.vault = {
      source = "hashicorp/vault";
      version = "3.3.1";
    };
  };

  provider.vault = {
    address = "https://vault.int.lukegb.com";
  };

  resource.vault_gcp_secret_backend.gcp = {
    path = "gcp";
  };
  data.vault_generic_secret.misc = {
    path = "kv/misc-input";
  };

  my.apps.deluge = {};
  my.apps.fup = {};
  my.apps.matrix-synapse = {};
  my.apps.pomerium = {};
  my.apps.quotesdb = {};
  my.apps.turn = {};
  my.apps.twitterchiver = {};
  my.apps.sslrenew-raritan.policy = ''
    # sslrenew-raritan is permitted to issue certificates.
    path "acme/certs/*" {
      capabilities = ["create"]
    }
  '';
  my.apps.deployer.policy = ''
    # Allow reading nix-daemon secrets
    path "kv/data/apps/nix-daemon" {
      capabilities = ["read"]
    }
    path "kv/metadata/apps/nix-daemon" {
      capabilities = ["read"]
    }
  '';
  my.apps.authentik = {};
  my.apps.forgejo-runner = {};
  my.apps.plex-pass = {};
  my.apps.ads-b = {};
  my.apps.nixbuild = {};
  my.apps.tumblrandom = {};
  my.apps.netbox = {};
  my.apps.hacky-vouchproxy = {};
  my.apps.hackyplayer = {};
  my.apps.emfminiserv = {};
  my.apps.bsky-pds = {};

  my.servers.etheroute-lon01.apps = [ "pomerium" ];
  my.servers.bvm-forgejo.apps = [ "pomerium" "forgejo-runner" ];
  my.servers.howl.apps = [ "nixbuild" ];
  my.servers.porcorosso.apps = [ "quotesdb" "nixbuild" ];
  my.servers.nausicaa.apps = [ "quotesdb" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" ];
  my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" "ads-b" "nixbuild" "tumblrandom" ];
  my.servers.clouvider-fra01.apps = [ "deluge" ];
  my.servers.clouvider-lon01.apps = [ "quotesdb" "nixbuild" ];
  my.servers.cofractal-ams01.apps = [ "deluge" "nixbuild" ];
  my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ];
  my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ];
  my.servers.bvm-prosody.apps = [ "turn" ];
  my.servers.bvm-nixosmgmt.apps = [ "plex-pass" ];
  my.servers.bvm-netbox.apps = [ "netbox" ];
  my.servers.rexxar.apps = [ "deluge" "forgejo-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" "fup" "bsky-pds" ];
}
ops/vault/cfg: initial configuration 2022-03-14 23:34:33 +00:00			`{ lib, config, ... }:`
ops/vault/cfg: init terranix stuff 2022-03-14 21:29:15 +00:00
			`{`
ops/vault/cfg: initial configuration 2022-03-14 23:34:33 +00:00			`imports = [`
			`./policies-raw.nix`
			`./policies-app.nix`

			`./authbackend-approle.nix`
			`./authbackend-oidc.nix`
ops/vault: add authentik-backed auth 2022-05-21 14:42:55 +00:00			`./authbackend-authentik.nix`
ops/vault/cfg: initial configuration 2022-03-14 23:34:33 +00:00
			`./ssh-ca-client.nix`
			`./ssh-ca-server.nix`

			`./servers.nix`
ops/vault/cfg: add acme-ca 2022-03-16 00:18:47 +00:00
			`./acme-ca.nix`
lukegbcom: autodeploy using Vault 2022-04-05 21:04:32 +00:00
			`./lukegbcom-deployer.nix`
ops/vault: create binary-cache-deployer 2023-02-25 22:16:56 +00:00			`./binary-cache-deployer.nix`
ops/vault/cfg: initial configuration 2022-03-14 23:34:33 +00:00			`];`

ops/vault/cfg: init terranix stuff 2022-03-14 21:29:15 +00:00			`terraform = {`
			`backend.gcs = {`
			`bucket = "lukegb-terraform-state";`
			`prefix = "depot/vault";`
			`};`

			`required_providers.vault = {`
			`source = "hashicorp/vault";`
			`version = "3.3.1";`
			`};`
			`};`
ops/vault/cfg: initial configuration 2022-03-14 23:34:33 +00:00
			`provider.vault = {`
			`address = "https://vault.int.lukegb.com";`
			`};`

lukegbcom: autodeploy using Vault 2022-04-05 21:04:32 +00:00			`resource.vault_gcp_secret_backend.gcp = {`
			`path = "gcp";`
			`};`
ops/vault/cfg: where we're going, we don't need secrets.nix 2022-03-16 00:06:46 +00:00			`data.vault_generic_secret.misc = {`
			`path = "kv/misc-input";`
			`};`

deluge: migrate auth file to vault 2022-04-09 19:59:11 +00:00			`my.apps.deluge = {};`
fup: move config to secret 2022-04-10 00:37:37 +00:00			`my.apps.fup = {};`
ops/nixos: put more things in Vault 2022-04-09 20:51:24 +00:00			`my.apps.matrix-synapse = {};`
ops/vault/cfg: initial configuration 2022-03-14 23:34:33 +00:00			`my.apps.pomerium = {};`
ops/nixos: put more things in Vault 2022-04-09 20:51:24 +00:00			`my.apps.quotesdb = {};`
			`my.apps.turn = {};`
			`my.apps.twitterchiver = {};`
deluge: migrate auth file to vault 2022-04-09 19:59:11 +00:00			`my.apps.sslrenew-raritan.policy = ''`
			`# sslrenew-raritan is permitted to issue certificates.`
			`path "acme/certs/*" {`
			`capabilities = ["create"]`
			`}`
			`'';`
vault: deployer should be allowed to read nix-daemon secrets 2022-03-24 22:20:44 +00:00			`my.apps.deployer.policy = ''`
			`# Allow reading nix-daemon secrets`
			`path "kv/data/apps/nix-daemon" {`
			`capabilities = ["read"]`
			`}`
			`path "kv/metadata/apps/nix-daemon" {`
			`capabilities = ["read"]`
			`}`
			`'';`
nix/pkgs/authentik: init 2022-05-12 22:55:10 +00:00			`my.apps.authentik = {};`
ops: forgejo-runner-cacher 2024-11-17 01:01:18 +00:00			`my.apps.forgejo-runner = {};`
updateplexpass: use Plex Pass key to fetch new versions 2023-01-08 01:54:22 +00:00			`my.apps.plex-pass = {};`
totoro: ADSB 2023-01-09 02:09:04 +00:00			`my.apps.ads-b = {};`
nixbuild-distributed: create 2023-03-09 21:33:42 +00:00			`my.apps.nixbuild = {};`
ops/nixos: add tumblrandom 2023-04-18 20:05:51 +00:00			`my.apps.tumblrandom = {};`
drop my own netbox build in favour of nixpkgs 2023-10-12 20:12:22 +00:00			`my.apps.netbox = {};`
add hackyplayer/hacky-vouchproxy/emfminiserv bits 2024-06-21 21:34:53 +00:00			`my.apps.hacky-vouchproxy = {};`
			`my.apps.hackyplayer = {};`
			`my.apps.emfminiserv = {};`
ops/nixos/bsky-pds: init 2024-10-21 03:56:28 +00:00			`my.apps.bsky-pds = {};`
deluge: migrate auth file to vault 2022-04-09 19:59:11 +00:00
			`my.servers.etheroute-lon01.apps = [ "pomerium" ];`
ops: forgejo-runner-cacher 2024-11-17 01:01:18 +00:00			`my.servers.bvm-forgejo.apps = [ "pomerium" "forgejo-runner" ];`
nixbuild-distributed: create 2023-03-09 21:33:42 +00:00			`my.servers.howl.apps = [ "nixbuild" ];`
			`my.servers.porcorosso.apps = [ "quotesdb" "nixbuild" ];`
vault: allow nausicaa access to the hackyplayer secrets 2024-06-28 07:20:01 +00:00			`my.servers.nausicaa.apps = [ "quotesdb" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" ];`
ops/nixos: add tumblrandom 2023-04-18 20:05:51 +00:00			`my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" "ads-b" "nixbuild" "tumblrandom" ];`
deluge: migrate auth file to vault 2022-04-09 19:59:11 +00:00			`my.servers.clouvider-fra01.apps = [ "deluge" ];`
ops: forgejo-runner-cacher 2024-11-17 01:01:18 +00:00			`my.servers.clouvider-lon01.apps = [ "quotesdb" "nixbuild" ];`
			`my.servers.cofractal-ams01.apps = [ "deluge" "nixbuild" ];`
ops/nixos: put more things in Vault 2022-04-09 20:51:24 +00:00			`my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ];`
			`my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ];`
			`my.servers.bvm-prosody.apps = [ "turn" ];`
updateplexpass: use Plex Pass key to fetch new versions 2023-01-08 01:54:22 +00:00			`my.servers.bvm-nixosmgmt.apps = [ "plex-pass" ];`
drop my own netbox build in favour of nixpkgs 2023-10-12 20:12:22 +00:00			`my.servers.bvm-netbox.apps = [ "netbox" ];`
ops: forgejo-runner-cacher 2024-11-17 01:01:18 +00:00			`my.servers.rexxar.apps = [ "deluge" "forgejo-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" "fup" "bsky-pds" ];`
ops/vault/cfg: init terranix stuff 2022-03-14 21:29:15 +00:00			`}`