feat(terraform/vault): add RabbitMQ server role

And allow CI to emit it. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2025-01-01 03:42:51 +01:00 · 2025-01-01 03:42:51 +01:00 · 1f634346eb
commit 1f634346eb
parent b107091d50
2 changed files with 19 additions and 1 deletions
--- a/terraform/vault/default.nix
+++ b/terraform/vault/default.nix
@ -63,7 +63,9 @@
            ci = {
              # This allows the CI to issue certificates for CI purposes.
              # It should be a relative path.
-              "pki/issue/ci".capabilities = [ "read" "create" "update" ];
+              "issue/ci".capabilities = [ "read" "create" "update" ];
+              # CI is allowed to be a RabbitMQ server.
+              "issue/rabbitmq-server".capabilities = [ "read" "create" "update" ];
            };
          };

@ -77,6 +79,17 @@
              allow_wildcard_certificates = false;
              ou = [ "Floral Systems Continuous Integration Systems" ];
            };
+
+            rabbitmq-server = {
+              ttl = "7d";
+              max_ttl = "45d";
+              allowed_domains = [ "amqp.forkos.org" ];
+              allow_bare_domains = true;
+              allow_subdomains = false;
+              allow_glob_domains = false;
+              allow_wildcard_certificates = false;
+              ou = [ "Floral Systems AMQP Systems" ];
+            };
          };

          # It's possible to continue the chain but we don't need that here.
--- a/terraform/vault/role-options.nix
+++ b/terraform/vault/role-options.nix
@ -30,6 +30,11 @@ in
      type = types.listOf types.str;
    };

+    allow_bare_domains = mkOption {
+      type = types.bool;
+      default = false;
+    };
+
    allow_subdomains = mkOption {
      type = types.bool;
      default = false;