{lib, config, pkgs, secret, inputs', ...}: let inherit (lib) mkForce; certs = config.services.acme-sh.certs; in { services.hashicorp.vault = { enable = true; package = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.vault-bin; settings = { backend."file".path = "/var/lib/vault"; ui = true; listener = [ { "tcp" = { address = "localhost:8200"; tls_cert_file = "${certs.vault.certPath}"; tls_key_file = "${certs.vault.keyPath}"; }; } { "tcp" = { address = "${secret.network.ips.blowhole.ip or ""}:8200"; tls_cert_file = "${certs.vault.certPath}"; tls_key_file = "${certs.vault.keyPath}"; }; } ]; storage."raft" = { path = "/var/lib/vault"; node_id = "blowhole"; }; cluster_addr = "https://${secret.network.ips.blowhole.ip or ""}:8201"; api_addr = "http://${secret.network.ips.blowhole.ip or ""}:8200"; }; }; services.acme-sh.certs.vault = { production = true; user = "root"; domains."vault.in.redalder.org" = "dns_hetzner"; mainDomain = "vault.in.redalder.org"; postRun = "systemctl try-reload-or-restart --no-block hashicorp-vault.service"; }; systemd.services."acme-sh-vault" = { serviceConfig.EnvironmentFile = mkForce "/var/secrets/hetzner.env"; }; services.acme-sh.certs.vault-wildcard = { production = true; user = "root"; domains."*.in.redalder.org" = "dns_hetzner"; mainDomain = "*.in.redalder.org"; # Trigger vault to reread certificate files. postRun = '' PEM_BUNDLE=$(cat <