dotfiles/nixos/systems/blowhole/vault.nix

{lib, config, pkgs, secret, ...}:
with lib;
let
  certs = config.services.acme-sh.certs;
in
{
  services.hashicorp.vault = {
    enable = true;

    package = pkgs.vault-bin;

    settings = {
      backend."file" = {
        path = "/var/lib/vault";
      };

      ui = true;

      listener = [
        {
          "tcp" = {
            address = "localhost:8200";
            tls_cert_file =
              "${certs.vault.certPath}";
            tls_key_file =
              "${certs.vault.keyPath}";
          };
        }
        {
          "tcp" = {
            address = "${secret.network.ips.blowhole.ip}:8200";
            tls_cert_file =
              "${certs.vault.certPath}";
            tls_key_file =
              "${certs.vault.keyPath}";
          };
        }
      ];

      storage."raft" = {
        path = "/var/lib/vault";
        node_id = "blowhole";
      };
      cluster_addr = "https://${secret.network.ips.blowhole.ip}:8201";
      api_addr = "http://${secret.network.ips.blowhole.ip}:8200";
    };
  };

  services.acme-sh.certs.vault = {
    production = true;
    user = "root";
    domains = {
      "vault.in.redalder.org" = "dns_hetzner";
    };
    mainDomain = "vault.in.redalder.org";
    # Trigger vault to reread certificate files.
    postRun = ''
      systemctl try-reload-or-restart --no-block hashicorp-vault.service
    '';
  };
  systemd.services."acme-sh-vault" = {
    serviceConfig.EnvironmentFile = mkForce "/var/secrets/hetzner.env";
  };

  services.acme-sh.certs.vault-wildcard = {
    production = true;
    user = "root";
    domains = {
      "*.in.redalder.org" = "dns_hetzner";
    };
    mainDomain = "*.in.redalder.org";
    # Trigger vault to reread certificate files.
    postRun = ''
      (
        exec 44<<<"$(cat '${certs.vault-wildcard.statePath}/*.in.redalder.org/ca.cer')\n$(cat '${certs.vault-wildcard.keyPath}')"
        VAULT_ADDR="https://vault.in.redalder.org:8200" \
          VAULT_TOKEN="$(cat /run/secrets/vault-token)" \
          ${pkgs.vault}/bin/vault write pki-inra/config/ca pem_bundle=@/proc/self/fd/44
      )
    '';
  };
  systemd.services."acme-sh-vault-wildcard" = {
    serviceConfig.EnvironmentFile = mkForce "/var/secrets/hetzner.env";
  };
}
Large rework and cleanup Signed-off-by: main <magic_rb@redalder.org> 2022-07-31 11:03:59 +02:00			`{lib, config, pkgs, secret, ...}:`
			`with lib;`
			`let`
Setup acme.sh for Vault Signed-off-by: Magic_RB <magic_rb@redalder.org> 2022-10-11 07:55:27 +02:00			`certs = config.services.acme-sh.certs;`
Large rework and cleanup Signed-off-by: main <magic_rb@redalder.org> 2022-07-31 11:03:59 +02:00			`in`
			`{`
			`services.hashicorp.vault = {`
			`enable = true;`

			`package = pkgs.vault-bin;`

			`settings = {`
			`backend."file" = {`
			`path = "/var/lib/vault";`
			`};`

			`ui = true;`

			`listener = [`
			`{`
			`"tcp" = {`
			`address = "localhost:8200";`
			`tls_cert_file =`
Setup acme.sh for Vault Signed-off-by: Magic_RB <magic_rb@redalder.org> 2022-10-11 07:55:27 +02:00			`"${certs.vault.certPath}";`
Large rework and cleanup Signed-off-by: main <magic_rb@redalder.org> 2022-07-31 11:03:59 +02:00			`tls_key_file =`
Setup acme.sh for Vault Signed-off-by: Magic_RB <magic_rb@redalder.org> 2022-10-11 07:55:27 +02:00			`"${certs.vault.keyPath}";`
Large rework and cleanup Signed-off-by: main <magic_rb@redalder.org> 2022-07-31 11:03:59 +02:00			`};`
			`}`
			`{`
			`"tcp" = {`
			`address = "${secret.network.ips.blowhole.ip}:8200";`
			`tls_cert_file =`
Setup acme.sh for Vault Signed-off-by: Magic_RB <magic_rb@redalder.org> 2022-10-11 07:55:27 +02:00			`"${certs.vault.certPath}";`
Large rework and cleanup Signed-off-by: main <magic_rb@redalder.org> 2022-07-31 11:03:59 +02:00			`tls_key_file =`
Setup acme.sh for Vault Signed-off-by: Magic_RB <magic_rb@redalder.org> 2022-10-11 07:55:27 +02:00			`"${certs.vault.keyPath}";`
Large rework and cleanup Signed-off-by: main <magic_rb@redalder.org> 2022-07-31 11:03:59 +02:00			`};`
			`}`
			`];`

			`storage."raft" = {`
			`path = "/var/lib/vault";`
			`node_id = "blowhole";`
			`};`
			`cluster_addr = "https://${secret.network.ips.blowhole.ip}:8201";`
			`api_addr = "http://${secret.network.ips.blowhole.ip}:8200";`
			`};`
			`};`
Setup acme.sh for Vault Signed-off-by: Magic_RB <magic_rb@redalder.org> 2022-10-11 07:55:27 +02:00
			`services.acme-sh.certs.vault = {`
			`production = true;`
			`user = "root";`
			`domains = {`
			`"vault.in.redalder.org" = "dns_hetzner";`
			`};`
			`mainDomain = "vault.in.redalder.org";`
			`# Trigger vault to reread certificate files.`
			`postRun = ''`
			`systemctl try-reload-or-restart --no-block hashicorp-vault.service`
			`'';`
			`};`
			`systemd.services."acme-sh-vault" = {`
			`serviceConfig.EnvironmentFile = mkForce "/var/secrets/hetzner.env";`
			`};`

			`services.acme-sh.certs.vault-wildcard = {`
			`production = true;`
			`user = "root";`
			`domains = {`
			`"*.in.redalder.org" = "dns_hetzner";`
			`};`
			`mainDomain = "*.in.redalder.org";`
			`# Trigger vault to reread certificate files.`
			`postRun = ''`
			`(`
			`exec 44<<<"$(cat '${certs.vault-wildcard.statePath}/*.in.redalder.org/ca.cer')\n$(cat '${certs.vault-wildcard.keyPath}')"`
			`VAULT_ADDR="https://vault.in.redalder.org:8200" \`
			`VAULT_TOKEN="$(cat /run/secrets/vault-token)" \`
			`${pkgs.vault}/bin/vault write pki-inra/config/ca pem_bundle=@/proc/self/fd/44`
			`)`
			`'';`
			`};`
			`systemd.services."acme-sh-vault-wildcard" = {`
			`serviceConfig.EnvironmentFile = mkForce "/var/secrets/hetzner.env";`
			`};`
Large rework and cleanup Signed-off-by: main <magic_rb@redalder.org> 2022-07-31 11:03:59 +02:00			`}`