2023-06-11 23:09:59 +02:00
|
|
|
{
|
2024-03-02 22:05:30 +01:00
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
pkgs,
|
|
|
|
secret,
|
|
|
|
inputs',
|
|
|
|
...
|
|
|
|
}: let
|
|
|
|
inherit
|
|
|
|
(lib)
|
|
|
|
singleton
|
|
|
|
;
|
|
|
|
in {
|
2023-06-11 23:09:59 +02:00
|
|
|
services.hashicorp.vault-agent = {
|
|
|
|
enable = true;
|
2024-05-21 11:32:08 +02:00
|
|
|
package = pkgs.vault-bin;
|
2023-06-11 23:09:59 +02:00
|
|
|
|
|
|
|
command = "agent";
|
|
|
|
|
|
|
|
extraPackages = with pkgs; [
|
|
|
|
sudo
|
|
|
|
getent
|
|
|
|
];
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
vault = {
|
|
|
|
address = "https://${secret.network.ips.vault.dns or ""}:8200";
|
|
|
|
retry.num_retries = 5;
|
|
|
|
};
|
|
|
|
|
2024-03-02 22:05:30 +01:00
|
|
|
auto_auth.method =
|
|
|
|
singleton
|
|
|
|
{
|
|
|
|
"approle" = {
|
|
|
|
mount_path = "auth/approle";
|
|
|
|
config = {
|
|
|
|
role_id_file_path = "/var/secrets/approle.roleid";
|
|
|
|
secret_id_file_path = "/var/secrets/approle.secretid";
|
|
|
|
remove_secret_id_file_after_reading = false;
|
2023-06-11 23:09:59 +02:00
|
|
|
};
|
|
|
|
};
|
2024-03-02 22:05:30 +01:00
|
|
|
};
|
2023-06-11 23:09:59 +02:00
|
|
|
|
2024-03-02 22:05:30 +01:00
|
|
|
sink =
|
|
|
|
singleton
|
|
|
|
{
|
|
|
|
"file" = {
|
|
|
|
type = "file";
|
|
|
|
config.path = "/run/secrets/vault-token";
|
2023-06-11 23:09:59 +02:00
|
|
|
};
|
2024-03-02 22:05:30 +01:00
|
|
|
};
|
2023-06-11 23:09:59 +02:00
|
|
|
|
2024-03-02 22:05:30 +01:00
|
|
|
template = [
|
|
|
|
{
|
|
|
|
source =
|
|
|
|
pkgs.writeText "consul.json.vtmpl"
|
|
|
|
''
|
|
|
|
{
|
|
|
|
"encrypt": "{{ with secret "kv/data/do-1/toothpick/consul/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}",
|
|
|
|
"acl": {
|
|
|
|
"tokens": {
|
|
|
|
"agent": "{{ with secret "kv/data/do-1/toothpick/consul/agent_token" }}{{ or .Data.data.secret "" }}{{ end }}",
|
|
|
|
"replication": "{{ with secret "kv/data/do-1/toothpick/consul/replication_token" }}{{ or .Data.data.secret "" }}{{ end }}",
|
|
|
|
"default": "{{ with secret "kv/data/do-1/toothpick/consul/anonymous_token" }}{{ or .Data.data.secret "" }}{{ end }}"
|
2023-06-11 23:09:59 +02:00
|
|
|
}
|
|
|
|
}
|
2024-03-02 22:05:30 +01:00
|
|
|
}
|
|
|
|
'';
|
|
|
|
destination = "/run/secrets/consul.json";
|
|
|
|
command =
|
|
|
|
pkgs.writeShellScript "consul-command"
|
|
|
|
''
|
|
|
|
sudo systemctl try-reload-or-restart hashicorp-consul.service
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
{
|
|
|
|
source =
|
|
|
|
pkgs.writeText "nomad.json.vtmpl"
|
|
|
|
''
|
|
|
|
{
|
|
|
|
"server": {
|
|
|
|
"encrypt": "{{ with secret "kv/data/do-1/toothpick/nomad/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}"
|
|
|
|
},
|
|
|
|
"acl": {
|
|
|
|
"replication_token": "{{ with secret "kv/data/do-1/toothpick/nomad/replication_token" }}{{ or .Data.data.secret "" }}{{ end }}"
|
|
|
|
},
|
|
|
|
"vault": {
|
|
|
|
"token": "{{ with secret "kv/data/do-1/toothpick/nomad/vault_token" }}{{ or .Data.data.secret "" }}{{ end }}"
|
|
|
|
},
|
|
|
|
"consul": {
|
|
|
|
"token": "{{ with secret "kv/data/do-1/toothpick/nomad/consul_token" }}{{ or .Data.data.secret "" }}{{ end }}"
|
2023-06-11 23:09:59 +02:00
|
|
|
}
|
2024-03-02 22:05:30 +01:00
|
|
|
}
|
|
|
|
'';
|
|
|
|
destination = "/run/secrets/nomad.json";
|
|
|
|
command =
|
|
|
|
pkgs.writeShellScript "nomad-command"
|
|
|
|
''
|
|
|
|
sudo systemctl try-reload-or-restart hashicorp-nomad.service
|
|
|
|
'';
|
|
|
|
}
|
2023-06-11 23:09:59 +02:00
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|