lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions
depot/ops/vault/default.nix

36 lines
842 B
Nix
Raw Permalink Normal View History

ops/vault/cfg: init terranix stuff
2022-03-14 21:29:15 +00:00
# SPDX-FileCopyrightText: 2022 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
ops/vault: use wrapping token to protect secret IDs in transit
2022-03-20 10:14:02 +00:00
{ pkgs, ... }@args: {
ops/vault/cfg: init terranix stuff
2022-03-14 21:29:15 +00:00
cfg = import ./cfg args;
ops/vault: use wrapping token to protect secret IDs in transit
2022-03-20 10:14:02 +00:00
provision-secret-id = pkgs.writeShellApplication {
name = "provision-secret-id";
runtimeInputs = with pkgs; [ vault ];
text = ''
set -euo pipefail
export VAULT_ADDR=https://vault.int.lukegb.com/
if [[ "$(id -u)" != 0 ]]; then
echo Must be run as root >&2
exit 1
fi
echo -n "Secret wrapping token: "
read -r secret_id
SECRET_ID="$(vault unwrap -field=secret_id "''${secret_id}")"
RET="$?"
if [[ "$RET" != 0 ]]; then
exit $RET
fi
echo "$SECRET_ID" > /var/lib/vault-agent/secret-id
ops/vault: destroy existing secrets before provisioning a new one
2022-03-20 10:20:25 +00:00
systemctl restart vault-agent
systemctl restart secretsmgr || true
ops/vault: use wrapping token to protect secret IDs in transit
2022-03-20 10:14:02 +00:00
'';
};
ops/vault/cfg: init terranix stuff
2022-03-14 21:29:15 +00:00
}
Reference in a new issue Copy permalink