homelab/terraform/vault/nomad.tf

91 lines
1.8 KiB
Terraform
Raw Permalink Normal View History

locals {
2024-04-24 19:23:39 +00:00
allowed_policies= concat(local.nomad_policy,local.nomad_custom_policy[*].name)
nomad_policy=[
"crowdsec",
"dump",
"dentrite",
"droneci",
2023-09-17 16:28:12 +00:00
"traefik",
"gitea",
2024-05-10 13:50:45 +00:00
"grafana",
"nextcloud",
"paperless",
"pihole",
"prometheus",
"rsyncd",
"seedbox",
"supysonic",
"ttrss",
"vaultwarden",
"wikijs",
"vikunja",
2023-09-04 16:52:49 +00:00
"ghostfolio",
2023-10-07 15:34:17 +00:00
"alertmanager",
2023-11-04 20:33:51 +00:00
"vault-backup",
"pdns",
2023-12-23 19:51:05 +00:00
"ldap",
"borgmatic",
2024-04-28 14:10:43 +00:00
"mealie",
"immich",
]
2024-04-24 19:23:39 +00:00
nomad_custom_policy = [
{
name = "authelia",
policy=<<EOT
path "secrets/data/nomad/authelia" {
capabilities = ["read"]
}
path "secrets/data/authelia/*" {
capabilities = ["read"]
}
EOT
}
]
}
resource "vault_token_auth_backend_role" "nomad-cluster" {
role_name = "nomad-cluster"
orphan = true
renewable = true
token_explicit_max_ttl = "0"
token_period = "259200"
allowed_policies = local.allowed_policies
}
data "vault_policy_document" "nomad_jobs" {
for_each = toset(local.nomad_policy)
rule {
path = "secrets/data/nomad/${each.key}"
capabilities = ["read"]
}
rule {
path = "secrets/data/nomad/${each.key}/*"
capabilities = ["read"]
}
rule {
path = "secrets/data/database/${each.key}"
capabilities = ["read"]
}
2024-04-24 19:23:39 +00:00
rule {
path = "secrets/data/authelia/${each.key}"
capabilities = ["read"]
}
}
resource "vault_policy" "nomad_jobs" {
for_each = toset(local.nomad_policy)
name = each.key
policy = data.vault_policy_document.nomad_jobs[each.key].hcl
}
2024-04-24 19:23:39 +00:00
resource "vault_policy" "nomad_jobs_custom" {
for_each = {for policy in local.nomad_custom_policy: policy.name => policy}
2024-04-24 19:23:39 +00:00
name = each.value.name
policy = each.value.policy
}