depot/ops/nixos/lib/tokend.nix

44 lines
1.1 KiB
Nix
Raw Normal View History

# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ pkgs, config, depot, lib, ... }:
let
inherit (lib) mkOption types mkBefore mkIf;
cfg = config.my.vault.tokend;
in
{
options.my.vault.tokend = {
enable = mkOption {
type = types.bool;
default = true;
};
};
config = mkIf cfg.enable {
users.groups.tokend = {};
users.users.tokend = { isSystemUser = true; group = "tokend"; };
systemd.services.tokend = {
description = "Daemon for dynamically issuing Vault tokens based on connecting UID";
wants = [ "vault-agent.service" "network.target" ];
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "tokend";
SupplementaryGroups = [ "vault-agent" ];
RuntimeDirectory = "tokend";
RuntimeDirectoryMode = "0755";
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = "yes";
ExecStart = "${depot.go.tokend}/bin/tokend --logtostderr";
};
};
};
}