2022-07-31 11:03:59 +02:00
|
|
|
{ pkgs, lib, config, tf, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
in
|
|
|
|
{
|
2023-02-02 15:07:56 +01:00
|
|
|
systemd.services.hashicorp-vault-agent = {
|
|
|
|
serviceConfig = {
|
|
|
|
RuntimeDirectory = "secrets";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2022-07-31 11:03:59 +02:00
|
|
|
services.hashicorp.vault-agent =
|
|
|
|
{ enable = true;
|
|
|
|
package = pkgs.vault;
|
|
|
|
|
|
|
|
command = "agent";
|
|
|
|
|
|
|
|
extraPackages = with pkgs;
|
|
|
|
[ sudo getent ];
|
|
|
|
|
|
|
|
settings =
|
|
|
|
{ vault =
|
2022-10-11 07:55:27 +02:00
|
|
|
{ address = "https://vault.in.redalder.org:8200";
|
2022-07-31 11:03:59 +02:00
|
|
|
retry =
|
|
|
|
{ num_retries = 5;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2022-10-11 07:55:27 +02:00
|
|
|
auto_auth = {
|
|
|
|
method = singleton
|
|
|
|
{ "approle" =
|
|
|
|
{ mount_path = "auth/approle";
|
|
|
|
config =
|
|
|
|
{ role_id_file_path = "/var/secrets/approle.roleid";
|
|
|
|
secret_id_file_path = "/var/secrets/approle.secretid";
|
|
|
|
remove_secret_id_file_after_reading = false;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
sink =
|
|
|
|
[ { type = "file";
|
2022-07-31 11:03:59 +02:00
|
|
|
config =
|
2022-10-11 07:55:27 +02:00
|
|
|
{ path = "/run/secrets/vault-token";
|
2022-07-31 11:03:59 +02:00
|
|
|
};
|
2022-10-11 07:55:27 +02:00
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
2022-07-31 11:03:59 +02:00
|
|
|
|
|
|
|
template = [
|
2023-03-06 00:30:29 +01:00
|
|
|
{
|
|
|
|
source = pkgs.writeText "id_ed_camera" ''
|
|
|
|
{{ with secret "kv/data/homelab-1/blowhole/id_ed_camera" }}{{ .Data.data.private }}{{ end }}
|
2022-07-31 11:03:59 +02:00
|
|
|
'';
|
2023-03-06 00:30:29 +01:00
|
|
|
destination = "/run/secrets/id_ed_camera";
|
|
|
|
command = pkgs.writeShellScript "id_ed_camera-command" ''
|
|
|
|
export PATH=${pkgs.util-linux}/bin:$PATH
|
|
|
|
chown root:root /run/secrets/id_ed_camera
|
|
|
|
chmod 600 /run/secrets/id_ed_camera
|
2022-07-31 11:03:59 +02:00
|
|
|
'';
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|