2023-06-12 23:25:40 +02:00
|
|
|
{
|
2024-03-02 22:05:30 +01:00
|
|
|
lib,
|
|
|
|
config,
|
|
|
|
pkgs,
|
|
|
|
pkgs-hashicorp,
|
|
|
|
secret,
|
|
|
|
inputs',
|
|
|
|
...
|
|
|
|
}: let
|
|
|
|
inherit
|
|
|
|
(lib)
|
|
|
|
mkForce
|
|
|
|
;
|
|
|
|
certs = config.services.acme-sh.certs;
|
|
|
|
in {
|
2023-06-12 23:25:40 +02:00
|
|
|
services.hashicorp.vault = {
|
|
|
|
enable = true;
|
|
|
|
|
2024-02-09 19:38:04 +01:00
|
|
|
package = pkgs-hashicorp.vault-bin;
|
2023-06-12 23:25:40 +02:00
|
|
|
|
|
|
|
settings = {
|
|
|
|
backend."file".path = "/var/lib/vault";
|
|
|
|
|
|
|
|
ui = true;
|
|
|
|
|
|
|
|
listener = [
|
|
|
|
{
|
|
|
|
"tcp" = {
|
|
|
|
address = "localhost:8200";
|
|
|
|
tls_cert_file = "${certs.vault.certPath}";
|
|
|
|
tls_key_file = "${certs.vault.keyPath}";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
"tcp" = {
|
|
|
|
address = "${secret.network.ips.blowhole.ip or ""}:8200";
|
|
|
|
tls_cert_file = "${certs.vault.certPath}";
|
|
|
|
tls_key_file = "${certs.vault.keyPath}";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
|
|
|
storage."raft" = {
|
|
|
|
path = "/var/lib/vault";
|
|
|
|
node_id = "blowhole";
|
|
|
|
};
|
|
|
|
cluster_addr = "https://${secret.network.ips.blowhole.ip or ""}:8201";
|
|
|
|
api_addr = "http://${secret.network.ips.blowhole.ip or ""}:8200";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
services.acme-sh.certs.vault = {
|
|
|
|
production = true;
|
|
|
|
user = "root";
|
|
|
|
domains."vault.in.redalder.org" = "dns_hetzner";
|
|
|
|
mainDomain = "vault.in.redalder.org";
|
|
|
|
postRun = "systemctl try-reload-or-restart --no-block hashicorp-vault.service";
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services."acme-sh-vault" = {
|
|
|
|
serviceConfig.EnvironmentFile = mkForce "/var/secrets/hetzner.env";
|
|
|
|
};
|
|
|
|
|
|
|
|
services.acme-sh.certs.vault-wildcard = {
|
|
|
|
production = true;
|
|
|
|
user = "root";
|
|
|
|
domains."*.in.redalder.org" = "dns_hetzner";
|
|
|
|
mainDomain = "*.in.redalder.org";
|
|
|
|
# Trigger vault to reread certificate files.
|
|
|
|
postRun = ''
|
|
|
|
PEM_BUNDLE=$(cat <<EOF
|
|
|
|
$(cat '${certs.vault-wildcard.statePath}/*.in.redalder.org/ca.cer')
|
|
|
|
$(cat '${certs.vault-wildcard.keyPath}')
|
|
|
|
EOF
|
|
|
|
)
|
|
|
|
(
|
|
|
|
exec 44<<<"$PEM_BUNDLE"
|
|
|
|
VAULT_ADDR="https://vault.in.redalder.org:8200" \
|
|
|
|
VAULT_TOKEN="$(cat /run/secrets/vault-token)" \
|
|
|
|
${pkgs.vault}/bin/vault write pki-inra/config/ca pem_bundle=@/proc/self/fd/44
|
|
|
|
)
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services."acme-sh-vault-wildcard" = {
|
|
|
|
serviceConfig.EnvironmentFile = mkForce "/var/secrets/hetzner.env";
|
|
|
|
};
|
|
|
|
}
|