{ lib, config, ... }: { imports = [ ./policies-raw.nix ./policies-app.nix ./authbackend-approle.nix ./authbackend-oidc.nix ./ssh-ca-client.nix ./ssh-ca-server.nix ./servers.nix ./acme-ca.nix ./lukegbcom-deployer.nix ]; terraform = { backend.gcs = { bucket = "lukegb-terraform-state"; prefix = "depot/vault"; }; required_providers.vault = { source = "hashicorp/vault"; version = "3.3.1"; }; }; provider.vault = { address = "https://vault.int.lukegb.com"; }; resource.vault_gcp_secret_backend.gcp = { path = "gcp"; }; data.vault_generic_secret.misc = { path = "kv/misc-input"; }; my.apps.deluge = {}; my.apps.fup = {}; my.apps.matrix-synapse = {}; my.apps.pomerium = {}; my.apps.quotesdb = {}; my.apps.turn = {}; my.apps.twitterchiver = {}; my.apps.sslrenew-raritan.policy = '' # sslrenew-raritan is permitted to issue certificates. path "acme/certs/*" { capabilities = ["create"] } ''; my.apps.deployer.policy = '' # Allow reading nix-daemon secrets path "kv/data/apps/nix-daemon" { capabilities = ["read"] } path "kv/metadata/apps/nix-daemon" { capabilities = ["read"] } ''; my.servers.etheroute-lon01.apps = [ "pomerium" ]; my.servers.porcorosso.apps = [ "quotesdb" ]; my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" ]; my.servers.clouvider-fra01.apps = [ "deluge" ]; my.servers.clouvider-lon01.apps = [ "quotesdb" ]; my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ]; my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ]; my.servers.bvm-prosody.apps = [ "turn" ]; my.servers.blade-tuvok.apps = [ "fup" ]; }