depot/ops/vault/cfg/policies/server-user.hcl

# This policy is granted to user accounts on servers - that is, "root", and anything in the users group.
# It allows for scoping things which shouldn't be in the Nix configuration, but are generally available to users on these machines.

# "Unauthenticated" users on servers can get nix-daemon kv.
path "kv/data/apps/nix-daemon" {
  capabilities = ["read"]
}
path "kv/metadata/apps/nix-daemon" {
  capabilities = ["read"]
}
tokend: init tokend is responsible for issuing service-scoped tokens based on the token held and generated by the Vault Agent. It can also generate "server-user" scoped tokens, which exist for convenience's sake: they are not a strong attestation of the user on the machine, and have limited privileges compared to a Vault token issued using e.g. `vault login -method=oidc`. 2022-03-20 17:47:52 +00:00			`# This policy is granted to user accounts on servers - that is, "root", and anything in the users group.`
			`# It allows for scoping things which shouldn't be in the Nix configuration, but are generally available to users on these machines.`

			`# "Unauthenticated" users on servers can get nix-daemon kv.`
			`path "kv/data/apps/nix-daemon" {`
			`capabilities = ["read"]`
			`}`
			`path "kv/metadata/apps/nix-daemon" {`
			`capabilities = ["read"]`
			`}`