{ lib, config, ... }: { imports = [ ./policies-raw.nix ./policies-app.nix ./authbackend-approle.nix ./authbackend-oidc.nix ./authbackend-authentik.nix ./ssh-ca-client.nix ./ssh-ca-server.nix ./servers.nix ./acme-ca.nix ./lukegbcom-deployer.nix ./binary-cache-deployer.nix ]; terraform = { backend.gcs = { bucket = "lukegb-terraform-state"; prefix = "depot/vault"; }; required_providers.vault = { source = "hashicorp/vault"; version = "3.3.1"; }; }; provider.vault = { address = "https://vault.int.lukegb.com"; }; resource.vault_gcp_secret_backend.gcp = { path = "gcp"; }; data.vault_generic_secret.misc = { path = "kv/misc-input"; }; my.apps.deluge = {}; my.apps.fup = {}; my.apps.matrix-synapse = {}; my.apps.pomerium = {}; my.apps.quotesdb = {}; my.apps.turn = {}; my.apps.twitterchiver = {}; my.apps.sslrenew-raritan.policy = '' # sslrenew-raritan is permitted to issue certificates. path "acme/certs/*" { capabilities = ["create"] } ''; my.apps.deployer.policy = '' # Allow reading nix-daemon secrets path "kv/data/apps/nix-daemon" { capabilities = ["read"] } path "kv/metadata/apps/nix-daemon" { capabilities = ["read"] } ''; my.apps.authentik = {}; my.apps.gitlab-runner = {}; my.apps.plex-pass = {}; my.apps.ads-b = {}; my.apps.nixbuild = {}; my.servers.etheroute-lon01.apps = [ "pomerium" ]; my.servers.howl.apps = [ "nixbuild" ]; my.servers.porcorosso.apps = [ "quotesdb" "nixbuild" ]; my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" "ads-b" "nixbuild" ]; my.servers.clouvider-fra01.apps = [ "deluge" ]; my.servers.clouvider-lon01.apps = [ "quotesdb" "gitlab-runner" ]; my.servers.cofractal-ams01.apps = [ "deluge" "gitlab-runner" "nixbuild" ]; my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ]; my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ]; my.servers.bvm-prosody.apps = [ "turn" ]; my.servers.bvm-heptapod.apps = [ "gitlab-runner" ]; my.servers.bvm-nixosmgmt.apps = [ "plex-pass" ]; my.servers.blade-tuvok.apps = [ "fup" ]; }