dotfiles/nixos/systems/blowhole/vault.nix

{lib, config, pkgs, secret, ...}:
with lib;
let
in
{
  services.hashicorp.vault = {
    enable = true;

    package = pkgs.vault-bin;

    settings = {
      backend."file" = {
        path = "/var/lib/vault";
      };

      ui = true;

      listener = [
        {
          "tcp" = {
            address = "localhost:8200";
            tls_cert_file =
              "/var/secrets/${secret.network.ips.vault.dns}.crt.pem";
            tls_key_file =
              "/var/secrets/${secret.network.ips.vault.dns}.key.pem";
          };
        }
        {
          "tcp" = {
            address = "${secret.network.ips.blowhole.ip}:8200";
            tls_cert_file =
              "/var/secrets/${secret.network.ips.vault.dns}.crt.pem";
            tls_key_file =
              "/var/secrets/${secret.network.ips.vault.dns}.key.pem";
          };
        }
      ];

      storage."raft" = {
        path = "/var/lib/vault";
        node_id = "blowhole";
      };
      cluster_addr = "https://${secret.network.ips.blowhole.ip}:8201";
      api_addr = "http://${secret.network.ips.blowhole.ip}:8200";
    };
  };
}
Large rework and cleanup Signed-off-by: main <magic_rb@redalder.org> 2022-07-31 11:03:59 +02:00			`{lib, config, pkgs, secret, ...}:`
			`with lib;`
			`let`
			`in`
			`{`
			`services.hashicorp.vault = {`
			`enable = true;`

			`package = pkgs.vault-bin;`

			`settings = {`
			`backend."file" = {`
			`path = "/var/lib/vault";`
			`};`

			`ui = true;`

			`listener = [`
			`{`
			`"tcp" = {`
			`address = "localhost:8200";`
			`tls_cert_file =`
			`"/var/secrets/${secret.network.ips.vault.dns}.crt.pem";`
			`tls_key_file =`
			`"/var/secrets/${secret.network.ips.vault.dns}.key.pem";`
			`};`
			`}`
			`{`
			`"tcp" = {`
			`address = "${secret.network.ips.blowhole.ip}:8200";`
			`tls_cert_file =`
			`"/var/secrets/${secret.network.ips.vault.dns}.crt.pem";`
			`tls_key_file =`
			`"/var/secrets/${secret.network.ips.vault.dns}.key.pem";`
			`};`
			`}`
			`];`

			`storage."raft" = {`
			`path = "/var/lib/vault";`
			`node_id = "blowhole";`
			`};`
			`cluster_addr = "https://${secret.network.ips.blowhole.ip}:8201";`
			`api_addr = "http://${secret.network.ips.blowhole.ip}:8200";`
			`};`
			`};`
			`}`