mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-12-01 12:36:13 +01:00
42 lines
1.2 KiB
Nix
42 lines
1.2 KiB
Nix
|
{ config, ... }:
|
||
|
{
|
||
|
resource."vault_mount"."pki_inra" = {
|
||
|
path = "pki-inra";
|
||
|
type = "pki";
|
||
|
description = "in.redalder.org";
|
||
|
default_lease_ttl_seconds = 8640000;
|
||
|
max_lease_ttl_seconds = 8640000;
|
||
|
};
|
||
|
|
||
|
resource."vault_policy"."pki_inra_update" = {
|
||
|
name = "pki-inra-update";
|
||
|
|
||
|
policy = ''
|
||
|
path "${config.resource."vault_mount"."pki_inra".path}/config/ca" {
|
||
|
capabilities = ["update"]
|
||
|
}
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
resource."vault_pki_secret_backend_config_urls"."example" = {
|
||
|
backend = config.resource."vault_mount"."pki_inra".path;
|
||
|
issuing_certificates = [
|
||
|
"https://vault.in.redalder.org:8200/v1/pki/ca"
|
||
|
];
|
||
|
crl_distribution_points = [
|
||
|
"https://vault.in.redalder.org:8200/v1/pki_int/crl"
|
||
|
];
|
||
|
};
|
||
|
|
||
|
resource."vault_pki_secret_backend_role"."test_role" = {
|
||
|
backend = config.resource."vault_mount"."pki_inra".path;
|
||
|
name = "test_role";
|
||
|
ttl = 3600;
|
||
|
allow_ip_sans = true;
|
||
|
key_type = "rsa";
|
||
|
key_bits = 4096;
|
||
|
allowed_domains = ["test.in.redalder.org"];
|
||
|
allow_subdomains = false;
|
||
|
};
|
||
|
}
|