depot/ops/vault/cfg/policies/server.hcl

 # Allow everyone to manage things under kv/server/<user>
path "kv/data/server/{{identity.entity.name}}/*" {
  capabilities = ["create", "update", "read", "delete"]
}

path "kv/metadata/server/{{identity.entity.name}}/*" {
  capabilities = ["list"]
}
path "kv/metadata/server" {
  capabilities = ["list"]
}

# Can read secrets for their own Wireguard keys.
path "kv/data/apps/wireguard/{{identity.entity.name}}" {
  capabilities = ["read"]
}
path "kv/metadata/apps/wireguard/{{identity.entity.name}}" {
  capabilities = ["read"]
}

path "kv/metadata/+" {
  capabilities = ["list"]
}

path "acme/certs/*" {
  capabilities = ["create"]
}

# Servers can always get nix-daemon data
path "kv/data/apps/nix-daemon" {
  capabilities = ["read"]
}
path "kv/metadata/apps/nix-daemon" {
  capabilities = ["read"]
}

# Servers can issue sub-tokens.
path "auth/token/create" {
  capabilities = ["update"]
}
ops/vault/cfg: initial configuration 2022-03-14 23:34:33 +00:00			`# Allow everyone to manage things under kv/server/<user>`
			`path "kv/data/server/{{identity.entity.name}}/*" {`
			`capabilities = ["create", "update", "read", "delete"]`
			`}`

			`path "kv/metadata/server/{{identity.entity.name}}/*" {`
			`capabilities = ["list"]`
			`}`
			`path "kv/metadata/server" {`
			`capabilities = ["list"]`
			`}`

ops/vault: allow servers to read their own wireguard keys 2023-01-15 19:23:53 +00:00			`# Can read secrets for their own Wireguard keys.`
			`path "kv/data/apps/wireguard/{{identity.entity.name}}" {`
			`capabilities = ["read"]`
			`}`
			`path "kv/metadata/apps/wireguard/{{identity.entity.name}}" {`
			`capabilities = ["read"]`
			`}`

ops/vault/cfg: initial configuration 2022-03-14 23:34:33 +00:00			`path "kv/metadata/+" {`
			`capabilities = ["list"]`
			`}`

			`path "acme/certs/*" {`
			`capabilities = ["create"]`
			`}`

			`# Servers can always get nix-daemon data`
			`path "kv/data/apps/nix-daemon" {`
			`capabilities = ["read"]`
			`}`
			`path "kv/metadata/apps/nix-daemon" {`
			`capabilities = ["read"]`
			`}`
tokend: init tokend is responsible for issuing service-scoped tokens based on the token held and generated by the Vault Agent. It can also generate "server-user" scoped tokens, which exist for convenience's sake: they are not a strong attestation of the user on the machine, and have limited privileges compared to a Vault token issued using e.g. `vault login -method=oidc`. 2022-03-20 17:47:52 +00:00
			`# Servers can issue sub-tokens.`
			`path "auth/token/create" {`
			`capabilities = ["update"]`
			`}`