dotfiles/terranix/main/pki.nix
magic_rb 4a29b6d8d3
Move terranix config into terranix/main
Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-04-07 10:45:07 +02:00

40 lines
1 KiB
Nix

{config, ...}: {
resource."vault_mount"."pki_inra" = {
path = "pki-inra";
type = "pki";
description = "in.redalder.org";
default_lease_ttl_seconds = 8640000;
max_lease_ttl_seconds = 8640000;
};
resource."vault_policy"."pki_inra_update" = {
name = "pki-inra-update";
policy = ''
path "${config.resource."vault_mount"."pki_inra".path}/config/ca" {
capabilities = ["update"]
}
'';
};
resource."vault_pki_secret_backend_config_urls"."example" = {
backend = config.resource."vault_mount"."pki_inra".path;
issuing_certificates = [
"https://vault.in.redalder.org:8200/v1/pki/ca"
];
crl_distribution_points = [
"https://vault.in.redalder.org:8200/v1/pki_int/crl"
];
};
resource."vault_pki_secret_backend_role"."test_role" = {
backend = config.resource."vault_mount"."pki_inra".path;
name = "test_role";
ttl = 3600;
allow_ip_sans = true;
key_type = "rsa";
key_bits = 4096;
allowed_domains = ["test.in.redalder.org"];
allow_subdomains = false;
};
}