Begin adding support for using opentofu through openbao secrets

2025-07-07 23:10:53 +02:00 · 2025-07-07 23:10:53 +02:00 · e61b3b06f3
commit e61b3b06f3
parent 8e31f30762
12 changed files with 551 additions and 39 deletions
--- a/nix/modules/nixos/hetzner-instance/default.nix
+++ b/nix/modules/nixos/hetzner-instance/default.nix
@ -229,12 +229,10 @@ in
      khscodes.provisioning.pre = {
        modules = modules;
        secretsSource = cfg.secretsSource;
-        variablesNeeded = [
-          "TF_VAR_cloudflare_token"
-          "TF_VAR_cloudflare_email"
-          "AWS_ACCESS_KEY_ID"
-          "AWS_SECRET_ACCESS_KEY"
-          "TF_VAR_hcloud_api_token"
+        endspoints = [
+          "aws"
+          "cloudflare"
+          "hcloud"
        ];
      };
    }
--- a/nix/modules/nixos/provisioning/default.nix
+++ b/nix/modules/nixos/provisioning/default.nix
@ -21,9 +21,17 @@ let
      description = "Where to get the secrets for the provisioning from";
      default = "vault";
    };
-    variablesNeeded = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      description = "Needed environment variables for the provisioning";
+    endspoints = lib.mkOption {
+      type = lib.types.listOf (
+        lib.types.enum [
+          "openstack"
+          "aws"
+          "unifi"
+          "hcloud"
+          "cloudflare"
+        ]
+      );
+      description = "Needed endpoints to be used during provisioning";
      default = [ ];
    };
  };
--- a/nix/packages/bitwarden-to-vault/default.nix
+++ b/nix/packages/bitwarden-to-vault/default.nix
@ -0,0 +1,19 @@
+{ pkgs, lib, ... }:
+let
+  script = pkgs.writeShellApplication {
+    name = "bitwarden-to-vault-wrapped";
+    meta = {
+      mainProgram = "bitwarden-to-vault-wrapped";
+    };
+    runtimeInputs = [ pkgs.khscodes.openbao-helper ];
+    text = ''
+      openbao-helper transfer
+    '';
+  };
+in
+lib.khscodes.mkBwEnv {
+  inherit pkgs;
+  name = "bitwarden-to-vault";
+  items = import ../bw-opentofu/secrets-map.nix;
+  exe = lib.getExe script;
+}
--- a/nix/packages/bw-opentofu/default.nix
+++ b/nix/packages/bw-opentofu/default.nix
@ -4,25 +4,7 @@ let
  # TODO: We should figure out a way of passing the secrets map at runtime instead of build time.
  # for now this map just needs to include every secret we could need, which also makes the reading of secrets take way longer than
  # needed.
-  secrets = {
-    "KHS Openstack" = {
-      TF_VAR_openstack_username = "login.username";
-      TF_VAR_openstack_password = "login.password";
-      TF_VAR_openstack_tenant_name = "Project Name";
-      TF_VAR_openstack_auth_url = "Auth URL";
-      TF_VAR_openstack_endpoint_type = "Interface";
-      TF_VAR_openstack_region = "Region Name";
-    };
-    "Cloudflare" = {
-      TF_VAR_cloudflare_token = "DNS API Token";
-      TF_VAR_cloudflare_email = "login.username";
-      AWS_ACCESS_KEY_ID = "BW Terraform access key id";
-      AWS_SECRET_ACCESS_KEY = "BW Terraform secret access key";
-    };
-    "Hetzner Cloud" = {
-      TF_VAR_hcloud_api_token = "Terraform API Token";
-    };
-  };
+  secrets = import ./secrets-map.nix;
  wrappedScript = pkgs.writeShellApplication {
    name = "bw-opentofu-wrapped";
    runtimeInputs = [
--- a/nix/packages/bw-opentofu/secrets-map.nix
+++ b/nix/packages/bw-opentofu/secrets-map.nix
@ -0,0 +1,24 @@
+{
+  "KHS Openstack" = {
+    TF_VAR_openstack_username = "login.username";
+    TF_VAR_openstack_password = "login.password";
+    TF_VAR_openstack_tenant_name = "Project Name";
+    TF_VAR_openstack_auth_url = "Auth URL";
+    TF_VAR_openstack_endpoint_type = "Interface";
+    TF_VAR_openstack_region = "Region Name";
+  };
+  "Cloudflare" = {
+    TF_VAR_cloudflare_token = "DNS API Token";
+    TF_VAR_cloudflare_email = "login.username";
+    AWS_ACCESS_KEY_ID = "BW Terraform access key id";
+    AWS_SECRET_ACCESS_KEY = "BW Terraform secret access key";
+  };
+  "Hetzner Cloud" = {
+    TF_VAR_hcloud_api_token = "Terraform API Token";
+  };
+  "Ubiquiti" = {
+    TF_VAR_unifi_username = "Terraform username";
+    TF_VAR_unifi_password = "Terraform password";
+    TF_VAR_unifi_url = "Terraform URL";
+  };
+}
--- a/nix/packages/hetzner-static-ip/default.nix
+++ b/nix/packages/hetzner-static-ip/default.nix
@ -3,4 +3,11 @@
  pkgs,
  inputs,
 }:
-(lib.khscodes.mkRust pkgs "${inputs.self}/rust").buildRustPackage "hetzner-static-ip"
+(lib.khscodes.mkRust pkgs "${inputs.self}/rust").buildRustPackage {
+  crateName = "hetzner-static-ip";
+  runtimeInputs = [
+    pkgs.curl
+    pkgs.uutils-coreutils-noprefix
+    pkgs.iproute2
+  ];
+}
--- a/nix/packages/openbao-helper/default.nix
+++ b/nix/packages/openbao-helper/default.nix
@ -0,0 +1,19 @@
+{
+  lib,
+  pkgs,
+  inputs,
+}:
+(lib.khscodes.mkRust pkgs "${inputs.self}/rust").buildRustPackage {
+  crateName = "openbao-helper";
+  # Not replacing path for openbao helper as it will execve other processes.
+  # Ideally I would like to not touch this process' path at all, perhaps by
+  # placing a file along with the compiled binary listing where the programs are located
+  # such that no tampering of the ENV can take place. But doing it this way at least
+  # it will just suffix the paths.
+  replacePath = false;
+  runtimeInputs = [
+    pkgs.curl
+    pkgs.uutils-coreutils-noprefix
+    pkgs.openbao
+  ];
+}