2023-06-12 23:25:40 +02:00
|
|
|
{
|
2024-03-02 22:05:30 +01:00
|
|
|
pkgs,
|
|
|
|
lib,
|
|
|
|
config,
|
|
|
|
tf,
|
|
|
|
inputs',
|
|
|
|
...
|
|
|
|
}: let
|
|
|
|
inherit
|
|
|
|
(lib)
|
|
|
|
singleton
|
|
|
|
;
|
|
|
|
in {
|
|
|
|
systemd.services.hashicorp-vault-agent = let
|
|
|
|
config = pkgs.writeText "hashicorp-vault-agent-tmpfiles.d" ''
|
|
|
|
d /run/secrets 0750 root root 0
|
|
|
|
x /run/secrets/monitor 0755 root root -
|
|
|
|
d /run/secrets/monitor 0755 root root 0
|
|
|
|
x /run/secrets/klipper 0755 root root -
|
|
|
|
d /run/secrets/klipper 0755 root root 0
|
|
|
|
'';
|
|
|
|
in {
|
|
|
|
preStart = "systemd-tmpfiles --create " + config;
|
|
|
|
postStop = "systemd-tmpfiles --clean " + config;
|
2023-06-28 14:23:08 +02:00
|
|
|
|
2024-03-02 22:05:30 +01:00
|
|
|
requires = ["vault-unsealed.service"];
|
|
|
|
after = ["vault-unsealed.service"];
|
|
|
|
};
|
2023-06-12 23:25:40 +02:00
|
|
|
|
|
|
|
services.hashicorp.vault-agent = {
|
|
|
|
enable = true;
|
2024-05-21 11:32:08 +02:00
|
|
|
package = pkgs.vault-bin;
|
2023-06-12 23:25:40 +02:00
|
|
|
|
|
|
|
command = "agent";
|
|
|
|
|
|
|
|
extraPackages = with pkgs; [
|
|
|
|
sudo
|
|
|
|
getent
|
|
|
|
];
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
vault = {
|
|
|
|
address = "https://vault.in.redalder.org:8200";
|
|
|
|
retry = {
|
|
|
|
num_retries = 5;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
auto_auth = {
|
|
|
|
method = singleton {
|
|
|
|
"approle" = {
|
|
|
|
mount_path = "auth/approle";
|
|
|
|
config = {
|
|
|
|
role_id_file_path = "/var/secrets/approle.roleid";
|
|
|
|
secret_id_file_path = "/var/secrets/approle.secretid";
|
|
|
|
remove_secret_id_file_after_reading = false;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
sink = singleton {
|
|
|
|
type = "file";
|
|
|
|
config = {
|
|
|
|
path = "/run/secrets/vault-token";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
template = [
|
|
|
|
{
|
|
|
|
source = pkgs.writeText "id_ed_camera" ''
|
|
|
|
{{ with secret "kv/data/homelab-1/blowhole/id_ed_camera" }}{{ .Data.data.private }}{{ end }}
|
|
|
|
'';
|
|
|
|
destination = "/run/secrets/id_ed_camera";
|
|
|
|
command = pkgs.writeShellScript "id_ed_camera-command" ''
|
|
|
|
export PATH=${pkgs.util-linux}/bin:$PATH
|
|
|
|
chown root:root /run/secrets/id_ed_camera
|
|
|
|
chmod 600 /run/secrets/id_ed_camera
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|