dotfiles/nixos/systems/blowhole/vault.nix

89 lines
2.2 KiB
Nix
Raw Normal View History

{
lib,
config,
pkgs,
pkgs-hashicorp,
secret,
inputs',
...
}: let
inherit
(lib)
mkForce
;
certs = config.services.acme-sh.certs;
in {
services.hashicorp.vault = {
enable = true;
package = pkgs-hashicorp.vault-bin;
settings = {
backend."file".path = "/var/lib/vault";
ui = true;
listener = [
{
"tcp" = {
address = "localhost:8200";
tls_cert_file = "${certs.vault.certPath}";
tls_key_file = "${certs.vault.keyPath}";
};
}
{
"tcp" = {
address = "${secret.network.ips.blowhole.ip or ""}:8200";
tls_cert_file = "${certs.vault.certPath}";
tls_key_file = "${certs.vault.keyPath}";
};
}
];
storage."raft" = {
path = "/var/lib/vault";
node_id = "blowhole";
};
cluster_addr = "https://${secret.network.ips.blowhole.ip or ""}:8201";
api_addr = "http://${secret.network.ips.blowhole.ip or ""}:8200";
};
};
services.acme-sh.certs.vault = {
production = true;
user = "root";
domains."vault.in.redalder.org" = "dns_hetzner";
mainDomain = "vault.in.redalder.org";
postRun = "systemctl try-reload-or-restart --no-block hashicorp-vault.service";
};
systemd.services."acme-sh-vault" = {
serviceConfig.EnvironmentFile = mkForce "/var/secrets/hetzner.env";
};
services.acme-sh.certs.vault-wildcard = {
production = true;
user = "root";
domains."*.in.redalder.org" = "dns_hetzner";
mainDomain = "*.in.redalder.org";
# Trigger vault to reread certificate files.
postRun = ''
PEM_BUNDLE=$(cat <<EOF
$(cat '${certs.vault-wildcard.statePath}/*.in.redalder.org/ca.cer')
$(cat '${certs.vault-wildcard.keyPath}')
EOF
)
(
exec 44<<<"$PEM_BUNDLE"
VAULT_ADDR="https://vault.in.redalder.org:8200" \
VAULT_TOKEN="$(cat /run/secrets/vault-token)" \
${pkgs.vault}/bin/vault write pki-inra/config/ca pem_bundle=@/proc/self/fd/44
)
'';
};
systemd.services."acme-sh-vault-wildcard" = {
serviceConfig.EnvironmentFile = mkForce "/var/secrets/hetzner.env";
};
}