{ pkgs, lib, config, tf, ... }: with lib; let in { systemd.services.hashicorp-vault-agent = let config = pkgs.writeText "hashicorp-vault-agent-tmpfiles.d" '' d /run/secrets 0750 root root 0 x /run/secrets/monitor 0750 root root - d /run/secrets/monitor 0750 root root 0 ''; in { preStart = "systemd-tmpfiles --create " + config; postStop = "systemd-tmpfiles --clean " + config; }; services.hashicorp.vault-agent = { enable = true; package = pkgs.vault; command = "agent"; extraPackages = with pkgs; [ sudo getent ]; settings = { vault = { address = "https://vault.in.redalder.org:8200"; retry = { num_retries = 5; }; }; auto_auth = { method = singleton { "approle" = { mount_path = "auth/approle"; config = { role_id_file_path = "/var/secrets/approle.roleid"; secret_id_file_path = "/var/secrets/approle.secretid"; remove_secret_id_file_after_reading = false; }; }; }; sink = [ { type = "file"; config = { path = "/run/secrets/vault-token"; }; } ]; }; template = [ { source = pkgs.writeText "id_ed_camera" '' {{ with secret "kv/data/homelab-1/blowhole/id_ed_camera" }}{{ .Data.data.private }}{{ end }} ''; destination = "/run/secrets/id_ed_camera"; command = pkgs.writeShellScript "id_ed_camera-command" '' export PATH=${pkgs.util-linux}/bin:$PATH chown root:root /run/secrets/id_ed_camera chmod 600 /run/secrets/id_ed_camera ''; } ]; }; }; }