dotfiles/nixos/systems/blowhole/vault-agent.nix

85 lines
2 KiB
Nix
Raw Normal View History

{
pkgs,
lib,
config,
tf,
inputs',
...
}: let
inherit
(lib)
singleton
;
in {
systemd.services.hashicorp-vault-agent = let
config = pkgs.writeText "hashicorp-vault-agent-tmpfiles.d" ''
d /run/secrets 0750 root root 0
x /run/secrets/monitor 0755 root root -
d /run/secrets/monitor 0755 root root 0
x /run/secrets/klipper 0755 root root -
d /run/secrets/klipper 0755 root root 0
'';
in {
preStart = "systemd-tmpfiles --create " + config;
postStop = "systemd-tmpfiles --clean " + config;
requires = ["vault-unsealed.service"];
after = ["vault-unsealed.service"];
};
services.hashicorp.vault-agent = {
enable = true;
package = pkgs.vault-bin;
command = "agent";
extraPackages = with pkgs; [
sudo
getent
];
settings = {
vault = {
address = "https://vault.in.redalder.org:8200";
retry = {
num_retries = 5;
};
};
auto_auth = {
method = singleton {
"approle" = {
mount_path = "auth/approle";
config = {
role_id_file_path = "/var/secrets/approle.roleid";
secret_id_file_path = "/var/secrets/approle.secretid";
remove_secret_id_file_after_reading = false;
};
};
};
sink = singleton {
type = "file";
config = {
path = "/run/secrets/vault-token";
};
};
};
template = [
{
source = pkgs.writeText "id_ed_camera" ''
{{ with secret "kv/data/homelab-1/blowhole/id_ed_camera" }}{{ .Data.data.private }}{{ end }}
'';
destination = "/run/secrets/id_ed_camera";
command = pkgs.writeShellScript "id_ed_camera-command" ''
export PATH=${pkgs.util-linux}/bin:$PATH
chown root:root /run/secrets/id_ed_camera
chmod 600 /run/secrets/id_ed_camera
'';
}
];
};
};
}