{lib, config, pkgs, secret, ...}: with lib; let certs = config.services.acme-sh.certs; in { services.hashicorp.vault = { enable = true; package = pkgs.vault-bin; settings = { backend."file" = { path = "/var/lib/vault"; }; ui = true; listener = [ { "tcp" = { address = "localhost:8200"; tls_cert_file = "${certs.vault.certPath}"; tls_key_file = "${certs.vault.keyPath}"; }; } { "tcp" = { address = "${secret.network.ips.blowhole.ip}:8200"; tls_cert_file = "${certs.vault.certPath}"; tls_key_file = "${certs.vault.keyPath}"; }; } ]; storage."raft" = { path = "/var/lib/vault"; node_id = "blowhole"; }; cluster_addr = "https://${secret.network.ips.blowhole.ip}:8201"; api_addr = "http://${secret.network.ips.blowhole.ip}:8200"; }; }; services.acme-sh.certs.vault = { production = true; user = "root"; domains = { "vault.in.redalder.org" = "dns_hetzner"; }; mainDomain = "vault.in.redalder.org"; # Trigger vault to reread certificate files. postRun = '' systemctl try-reload-or-restart --no-block hashicorp-vault.service ''; }; systemd.services."acme-sh-vault" = { serviceConfig.EnvironmentFile = mkForce "/var/secrets/hetzner.env"; }; services.acme-sh.certs.vault-wildcard = { production = true; user = "root"; domains = { "*.in.redalder.org" = "dns_hetzner"; }; mainDomain = "*.in.redalder.org"; # Trigger vault to reread certificate files. postRun = '' ( exec 44<<<"$(cat '${certs.vault-wildcard.statePath}/*.in.redalder.org/ca.cer')\n$(cat '${certs.vault-wildcard.keyPath}')" VAULT_ADDR="https://vault.in.redalder.org:8200" \ VAULT_TOKEN="$(cat /run/secrets/vault-token)" \ ${pkgs.vault}/bin/vault write pki-inra/config/ca pem_bundle=@/proc/self/fd/44 ) ''; }; systemd.services."acme-sh-vault-wildcard" = { serviceConfig.EnvironmentFile = mkForce "/var/secrets/hetzner.env"; }; }