depot/ops/vault/cfg/binary-cache-deployer.nix

{ ... }:

{
  resource.vault_gcp_secret_roleset.binary_cache_deployer = {
    backend = "\${vault_gcp_secret_backend.gcp.path}";
    roleset = "binary-cache-deployer";
    project = "lukegb-nix";
    secret_type = "access_token";
    token_scopes = [
      "https://www.googleapis.com/auth/devstorage.read_write"
    ];
    binding = [{
      resource = "buckets/lukegb-nix-cache";
      roles = ["roles/storage.objectAdmin"];
    }];
  };

  my.servers.cofractal-ams01.appPolicies.gitlab-runner = ''
    path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
      capabilities = ["read"]
    }
  '';
  my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
    path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
      capabilities = ["read"]
    }
  '';
}
ops/vault: create binary-cache-deployer 2023-02-25 22:16:56 +00:00			`{ ... }:`

			`{`
			`resource.vault_gcp_secret_roleset.binary_cache_deployer = {`
			`backend = "\${vault_gcp_secret_backend.gcp.path}";`
			`roleset = "binary-cache-deployer";`
			`project = "lukegb-nix";`
			`secret_type = "access_token";`
			`token_scopes = [`
			`"https://www.googleapis.com/auth/devstorage.read_write"`
			`];`
			`binding = [{`
			`resource = "buckets/lukegb-nix-cache";`
			`roles = ["roles/storage.objectAdmin"];`
			`}];`
			`};`

			`my.servers.cofractal-ams01.appPolicies.gitlab-runner = ''`
			`path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {`
			`capabilities = ["read"]`
			`}`
			`'';`
			`my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''`
			`path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {`
			`capabilities = ["read"]`
			`}`
			`'';`
			`}`