2023-04-03 02:11:08 +02:00
|
|
|
{lib, config, pkgs, secret, inputs, ...}:
|
2022-07-31 11:03:59 +02:00
|
|
|
with lib;
|
|
|
|
let
|
2022-10-11 07:55:27 +02:00
|
|
|
certs = config.services.acme-sh.certs;
|
2022-07-31 11:03:59 +02:00
|
|
|
in
|
|
|
|
{
|
|
|
|
services.hashicorp.vault = {
|
|
|
|
enable = true;
|
|
|
|
|
2023-04-03 02:11:08 +02:00
|
|
|
package = inputs.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.vault-bin;
|
2022-07-31 11:03:59 +02:00
|
|
|
|
|
|
|
settings = {
|
|
|
|
backend."file" = {
|
|
|
|
path = "/var/lib/vault";
|
|
|
|
};
|
|
|
|
|
|
|
|
ui = true;
|
|
|
|
|
|
|
|
listener = [
|
|
|
|
{
|
|
|
|
"tcp" = {
|
|
|
|
address = "localhost:8200";
|
|
|
|
tls_cert_file =
|
2022-10-11 07:55:27 +02:00
|
|
|
"${certs.vault.certPath}";
|
2022-07-31 11:03:59 +02:00
|
|
|
tls_key_file =
|
2022-10-11 07:55:27 +02:00
|
|
|
"${certs.vault.keyPath}";
|
2022-07-31 11:03:59 +02:00
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
"tcp" = {
|
|
|
|
address = "${secret.network.ips.blowhole.ip}:8200";
|
|
|
|
tls_cert_file =
|
2022-10-11 07:55:27 +02:00
|
|
|
"${certs.vault.certPath}";
|
2022-07-31 11:03:59 +02:00
|
|
|
tls_key_file =
|
2022-10-11 07:55:27 +02:00
|
|
|
"${certs.vault.keyPath}";
|
2022-07-31 11:03:59 +02:00
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
|
|
|
storage."raft" = {
|
|
|
|
path = "/var/lib/vault";
|
|
|
|
node_id = "blowhole";
|
|
|
|
};
|
|
|
|
cluster_addr = "https://${secret.network.ips.blowhole.ip}:8201";
|
|
|
|
api_addr = "http://${secret.network.ips.blowhole.ip}:8200";
|
|
|
|
};
|
|
|
|
};
|
2022-10-11 07:55:27 +02:00
|
|
|
|
|
|
|
services.acme-sh.certs.vault = {
|
|
|
|
production = true;
|
|
|
|
user = "root";
|
|
|
|
domains = {
|
|
|
|
"vault.in.redalder.org" = "dns_hetzner";
|
|
|
|
};
|
|
|
|
mainDomain = "vault.in.redalder.org";
|
|
|
|
# Trigger vault to reread certificate files.
|
|
|
|
postRun = ''
|
|
|
|
systemctl try-reload-or-restart --no-block hashicorp-vault.service
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
systemd.services."acme-sh-vault" = {
|
|
|
|
serviceConfig.EnvironmentFile = mkForce "/var/secrets/hetzner.env";
|
|
|
|
};
|
|
|
|
|
|
|
|
services.acme-sh.certs.vault-wildcard = {
|
|
|
|
production = true;
|
|
|
|
user = "root";
|
|
|
|
domains = {
|
|
|
|
"*.in.redalder.org" = "dns_hetzner";
|
|
|
|
};
|
|
|
|
mainDomain = "*.in.redalder.org";
|
|
|
|
# Trigger vault to reread certificate files.
|
|
|
|
postRun = ''
|
|
|
|
(
|
|
|
|
exec 44<<<"$(cat '${certs.vault-wildcard.statePath}/*.in.redalder.org/ca.cer')\n$(cat '${certs.vault-wildcard.keyPath}')"
|
|
|
|
VAULT_ADDR="https://vault.in.redalder.org:8200" \
|
|
|
|
VAULT_TOKEN="$(cat /run/secrets/vault-token)" \
|
|
|
|
${pkgs.vault}/bin/vault write pki-inra/config/ca pem_bundle=@/proc/self/fd/44
|
|
|
|
)
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
systemd.services."acme-sh-vault-wildcard" = {
|
|
|
|
serviceConfig.EnvironmentFile = mkForce "/var/secrets/hetzner.env";
|
|
|
|
};
|
2022-07-31 11:03:59 +02:00
|
|
|
}
|