mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-26 01:56:13 +01:00
48 lines
1.1 KiB
Nix
48 lines
1.1 KiB
Nix
{lib, config, pkgs, secret, ...}:
|
|
with lib;
|
|
let
|
|
in
|
|
{
|
|
services.hashicorp.vault = {
|
|
enable = true;
|
|
|
|
package = pkgs.vault-bin;
|
|
|
|
settings = {
|
|
backend."file" = {
|
|
path = "/var/lib/vault";
|
|
};
|
|
|
|
ui = true;
|
|
|
|
listener = [
|
|
{
|
|
"tcp" = {
|
|
address = "localhost:8200";
|
|
tls_cert_file =
|
|
"/var/secrets/${secret.network.ips.vault.dns}.crt.pem";
|
|
tls_key_file =
|
|
"/var/secrets/${secret.network.ips.vault.dns}.key.pem";
|
|
};
|
|
}
|
|
{
|
|
"tcp" = {
|
|
address = "${secret.network.ips.blowhole.ip}:8200";
|
|
tls_cert_file =
|
|
"/var/secrets/${secret.network.ips.vault.dns}.crt.pem";
|
|
tls_key_file =
|
|
"/var/secrets/${secret.network.ips.vault.dns}.key.pem";
|
|
};
|
|
}
|
|
];
|
|
|
|
storage."raft" = {
|
|
path = "/var/lib/vault";
|
|
node_id = "blowhole";
|
|
};
|
|
cluster_addr = "https://${secret.network.ips.blowhole.ip}:8201";
|
|
api_addr = "http://${secret.network.ips.blowhole.ip}:8200";
|
|
};
|
|
};
|
|
}
|