feat(terraform/vault): support for tokens generation

We create the first machine-level token for bagel-box which has the
policy CI.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

terraform/vault/default.nix

@@ -17,6 +17,22 @@
 
   infra.vault = {
     provider = "vault.floral";
+    tokens = {
+      bagel_box = {
+        policies = [ "ci" ];
+        renewable = true;
+        ttl = "7d";
+        # As long as the token is renewed every 14 days, its TTL can be extended of 7 more days.
+        period = "14d";
+        # A machine-wide token cannot live longer than 365 days, all of this is temporary anyway until we get proper machine identity.
+        explicit_max_ttl = "365d";
+        display_name = "bagel-box@infra.forkos.org machine-wide token";
+
+        metadata = {
+          purpose = "machine-account";
+        };
+      };
+    };
   };
 
   infra.pki = {

terraform/vault/generic.nix

@@ -13,5 +13,6 @@ in
   imports = [
     ./policy.nix
     ./sub-ca.nix
+    ./tokens.nix
   ];
 }

terraform/vault/tokens.nix

@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+let
+  cfg = config.infra.vault.tokens;
+  inherit (lib) mkOption types mapAttrs;
+  mkToken = name: value: value // {
+    provider = config.infra.vault.provider;
+  };
+in
+{
+  options.infra.vault.tokens = mkOption {
+    # TODO: harden with freeformType json.
+    type = types.attrsOf types.unspecified;
+    default = { };
+  };
+
+  config = {
+    resource.vault_token = mapAttrs mkToken cfg;
+  };
+}