dotfiles/nixos/systems/toothpick/vault-agent.nix
magic_rb 0b9583b4d3
Clean up inputs and unfree package handling
Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-05-21 11:32:08 +02:00

105 lines
3 KiB
Nix

{
config,
lib,
pkgs,
secret,
inputs',
...
}: let
inherit
(lib)
singleton
;
in {
services.hashicorp.vault-agent = {
enable = true;
package = pkgs.vault-bin;
command = "agent";
extraPackages = with pkgs; [
sudo
getent
];
settings = {
vault = {
address = "https://${secret.network.ips.vault.dns or ""}:8200";
retry.num_retries = 5;
};
auto_auth.method =
singleton
{
"approle" = {
mount_path = "auth/approle";
config = {
role_id_file_path = "/var/secrets/approle.roleid";
secret_id_file_path = "/var/secrets/approle.secretid";
remove_secret_id_file_after_reading = false;
};
};
};
sink =
singleton
{
"file" = {
type = "file";
config.path = "/run/secrets/vault-token";
};
};
template = [
{
source =
pkgs.writeText "consul.json.vtmpl"
''
{
"encrypt": "{{ with secret "kv/data/do-1/toothpick/consul/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}",
"acl": {
"tokens": {
"agent": "{{ with secret "kv/data/do-1/toothpick/consul/agent_token" }}{{ or .Data.data.secret "" }}{{ end }}",
"replication": "{{ with secret "kv/data/do-1/toothpick/consul/replication_token" }}{{ or .Data.data.secret "" }}{{ end }}",
"default": "{{ with secret "kv/data/do-1/toothpick/consul/anonymous_token" }}{{ or .Data.data.secret "" }}{{ end }}"
}
}
}
'';
destination = "/run/secrets/consul.json";
command =
pkgs.writeShellScript "consul-command"
''
sudo systemctl try-reload-or-restart hashicorp-consul.service
'';
}
{
source =
pkgs.writeText "nomad.json.vtmpl"
''
{
"server": {
"encrypt": "{{ with secret "kv/data/do-1/toothpick/nomad/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}"
},
"acl": {
"replication_token": "{{ with secret "kv/data/do-1/toothpick/nomad/replication_token" }}{{ or .Data.data.secret "" }}{{ end }}"
},
"vault": {
"token": "{{ with secret "kv/data/do-1/toothpick/nomad/vault_token" }}{{ or .Data.data.secret "" }}{{ end }}"
},
"consul": {
"token": "{{ with secret "kv/data/do-1/toothpick/nomad/consul_token" }}{{ or .Data.data.secret "" }}{{ end }}"
}
}
'';
destination = "/run/secrets/nomad.json";
command =
pkgs.writeShellScript "nomad-command"
''
sudo systemctl try-reload-or-restart hashicorp-nomad.service
'';
}
];
};
};
}