dotfiles/nixos/systems/blowhole/vault.nix

86 lines
2.3 KiB
Nix
Raw Normal View History

{lib, config, pkgs, secret, inputs, ...}:
with lib;
let
certs = config.services.acme-sh.certs;
in
{
services.hashicorp.vault = {
enable = true;
package = inputs.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.vault-bin;
settings = {
backend."file" = {
path = "/var/lib/vault";
};
ui = true;
listener = [
{
"tcp" = {
address = "localhost:8200";
tls_cert_file =
"${certs.vault.certPath}";
tls_key_file =
"${certs.vault.keyPath}";
};
}
{
"tcp" = {
address = "${secret.network.ips.blowhole.ip}:8200";
tls_cert_file =
"${certs.vault.certPath}";
tls_key_file =
"${certs.vault.keyPath}";
};
}
];
storage."raft" = {
path = "/var/lib/vault";
node_id = "blowhole";
};
cluster_addr = "https://${secret.network.ips.blowhole.ip}:8201";
api_addr = "http://${secret.network.ips.blowhole.ip}:8200";
};
};
services.acme-sh.certs.vault = {
production = true;
user = "root";
domains = {
"vault.in.redalder.org" = "dns_hetzner";
};
mainDomain = "vault.in.redalder.org";
# Trigger vault to reread certificate files.
postRun = ''
systemctl try-reload-or-restart --no-block hashicorp-vault.service
'';
};
systemd.services."acme-sh-vault" = {
serviceConfig.EnvironmentFile = mkForce "/var/secrets/hetzner.env";
};
services.acme-sh.certs.vault-wildcard = {
production = true;
user = "root";
domains = {
"*.in.redalder.org" = "dns_hetzner";
};
mainDomain = "*.in.redalder.org";
# Trigger vault to reread certificate files.
postRun = ''
(
exec 44<<<"$(cat '${certs.vault-wildcard.statePath}/*.in.redalder.org/ca.cer')\n$(cat '${certs.vault-wildcard.keyPath}')"
VAULT_ADDR="https://vault.in.redalder.org:8200" \
VAULT_TOKEN="$(cat /run/secrets/vault-token)" \
${pkgs.vault}/bin/vault write pki-inra/config/ca pem_bundle=@/proc/self/fd/44
)
'';
};
systemd.services."acme-sh-vault-wildcard" = {
serviceConfig.EnvironmentFile = mkForce "/var/secrets/hetzner.env";
};
}