nix/machines
1
0
Fork 0
Code Issues Releases Packages Activity Actions
machines/nix/modules/terranix/vault/approle_auth_backend.nix
Kaare Hoff Skovgaard 608d758f30
Begin testing bootstrapping of vault authentication 
However, the nixos-install script fails on khs openstack
as the system won't boot up after installation due it
being unable to locate the root disk. I am not sure what disk
it ends up finding.
2025-07-09 23:53:42 +02:00

120 lines
4.5 KiB
Nix
Raw Blame History

{ khscodesLib, ... }:
{ lib, config, ... }:
let
cfg = config.khscodes.vault;
in
{
options.khscodes.vault = {
approle_auth_backend_role = lib.mkOption {
type = lib.types.attrsOf (
khscodesLib.mkSubmodule {
options = {
backend = lib.mkOption {
type = lib.types.str;
description = "Path of the backend";
default = "approle";
};
role_name = lib.mkOption {
type = lib.types.str;
description = "Name of the role";
};
secret_id_ttl = lib.mkOption {
type = lib.types.int;
description = "TTL for the secret id, in seconds";
};
secret_id_num_uses = lib.mkOption {
type = lib.types.int;
description = "Maximum number of uses per secret id";
};
token_ttl = lib.mkOption {
type = lib.types.int;
description = "TTL for the tokens issued, in seconds";
};
token_max_ttl = lib.mkOption {
type = lib.types.int;
description = "Max TTL for the tokens issued, in seconds";
};
token_policies = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "Policies attached to the backend role";
};
};
description = "vault_approle_auth_backend_role";
}
);
description = "Defines an app backend role";
default = { };
};
approle_auth_backend_role_secret_id = lib.mkOption {
type = lib.types.attrsOf (
khscodesLib.mkSubmodule {
options = {
backend = lib.mkOption {
type = lib.types.str;
description = "Path of the backend";
default = "approle";
};
role_name = lib.mkOption {
type = lib.types.str;
description = "NThe name of the role to create the SecretID for";
};
cidr_list = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "If set, specifies blocks of IP addresses which can perform the login operation using this SecretID";
default = [ ];
};
metadata = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
description = "Metadata associated with tokens issued by this secret";
default = { };
};
num_uses = lib.mkOption {
type = lib.types.int;
description = "Number of uses for the secret id";
default = 300;
};
wrapping_ttl = lib.mkOption {
type = lib.types.nullOr lib.types.int;
description = "If set, the SecretID response will be response-wrapped and available for the duration specified. Only a single unwrapping of the token is allowed.";
default = null;
};
with_wrapped_accessor = lib.mkOption {
type = lib.types.bool;
description = "Set to `true` to use the wrapped secret-id accessor as the resource ID. If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or invalidated through unwrapping.";
default = false;
};
lifecycle.ignore_changes = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "Ignores changes to the following properties when rerunning the terraform script";
default = [ ];
};
};
description = "vault_approle_auth_backend_role_secret_id";
}
);
description = "Defines an app backend role secret id";
default = { };
};
};
config = lib.mkIf cfg.enable {
resource.vault_approle_auth_backend_role = lib.mapAttrs' (name: value: {
name = khscodesLib.sanitize-terraform-name name;
value = value;
}) cfg.approle_auth_backend_role;
resource.vault_approle_auth_backend_role_secret_id = lib.mapAttrs' (name: value: {
name = khscodesLib.sanitize-terraform-name name;
value = {
inherit (value)
backend
role_name
cidr_list
wrapping_ttl
num_uses
with_wrapped_accessor
lifecycle
;
metadata = if value.metadata != null then builtins.toJSON value.metadata else null;
};
}) cfg.approle_auth_backend_role_secret_id;
};
}
Reference in a new issue View git blame Copy permalink