depot/ops/nixos/lib/vault-agent.nix

# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ pkgs, config, depot, lib, ... }:
let
  inherit (lib) mkEnableOption mkOption types;
  mkDefault = lib.mkOverride 900;

  format = pkgs.formats.json {};
in
{
  options.my.vault = {
    enable = mkEnableOption "vault agent";
    roleID = mkOption {
      type = types.str;
      default = config.networking.hostName;
    };
    secretIDPath = mkOption {
      type = types.str;
      default = "/var/lib/vault-agent/secret-id";
    };
    settings = mkOption {
      type = format.type;
      default = {};
    };
    bindMountStateTo = mkOption {
      type = types.nullOr types.str;
      default = null;
    };
  };

  config = {
    my.vault.enable = mkDefault true;
    my.vault.settings = mkDefault {
      pid_file = "/run/vault-agent/pid";
      vault.address = "https://vault.int.lukegb.com";
      auto_auth.method = [{
        type = "approle";
        config = {
          role_id_file_path = pkgs.writeText "${config.my.vault.roleID}-role-id" config.my.vault.roleID;
          secret_id_file_path = config.my.vault.secretIDPath;
          remove_secret_id_file_after_reading = false;
        };
      }];
      cache.use_auto_auth_token = true;

      listener.tcp = {
        address = "127.0.0.1:8200";
        tls_disable = true;
      };
    };

    systemd = lib.optionalAttrs config.my.vault.enable {
      services.vault-agent = {
        description = "Hashicorp Vault Agent";
        wants = [ "network.target" ];
        after = [ "network.target" ];
        wantedBy = [ "multi-user.target" ];
        path = with pkgs; [ glibc.bin ];
        serviceConfig = {
          RuntimeDirectory = "vault-agent";
          RuntimeDirectoryMode = "0700";
          StateDirectory = "vault-agent";
          StateDirectoryMode = "0700";

          DynamicUser = true;
          User = "vault-agent";

          ProtectSystem = "strict";
          ProtectHome = "yes";

          ExecStart = "${pkgs.vault}/bin/vault agent -config=${format.generate "vault-agent.json" config.my.vault.settings}";
        };
      };

      mounts = lib.optional (config.my.vault.bindMountStateTo != null) {
        unitConfig.RequiresMountsFor = "${config.my.vault.bindMountStateTo} /var/lib/private/vault-agent";
        options = "bind";
        what = config.my.vault.bindMountStateTo;
        where = "/var/lib/private/vault-agent";
        requiredBy = [ "vault-agent.service" ];
        before = [ "vault-agent.service" ];
        wantedBy = [ "vault-agent.service" ];
      };
    };
  };
}
ops/nixos: add some vault-agent setup 2022-01-23 23:38:40 +00:00			`# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>`
			`#`
			`# SPDX-License-Identifier: Apache-2.0`

			`{ pkgs, config, depot, lib, ... }:`
			`let`
			`inherit (lib) mkEnableOption mkOption types;`
			`mkDefault = lib.mkOverride 900;`

			`format = pkgs.formats.json {};`
			`in`
			`{`
			`options.my.vault = {`
			`enable = mkEnableOption "vault agent";`
			`roleID = mkOption {`
			`type = types.str;`
			`default = config.networking.hostName;`
			`};`
			`secretIDPath = mkOption {`
			`type = types.str;`
			`default = "/var/lib/vault-agent/secret-id";`
			`};`
			`settings = mkOption {`
			`type = format.type;`
			`default = {};`
			`};`
			`bindMountStateTo = mkOption {`
			`type = types.nullOr types.str;`
			`default = null;`
			`};`
			`};`

			`config = {`
			`my.vault.enable = mkDefault true;`
			`my.vault.settings = mkDefault {`
			`pid_file = "/run/vault-agent/pid";`
			`vault.address = "https://vault.int.lukegb.com";`
			`auto_auth.method = [{`
			`type = "approle";`
			`config = {`
			`role_id_file_path = pkgs.writeText "${config.my.vault.roleID}-role-id" config.my.vault.roleID;`
			`secret_id_file_path = config.my.vault.secretIDPath;`
			`remove_secret_id_file_after_reading = false;`
			`};`
			`}];`
			`cache.use_auto_auth_token = true;`

			`listener.tcp = {`
			`address = "127.0.0.1:8200";`
			`tls_disable = true;`
			`};`
			`};`

			`systemd = lib.optionalAttrs config.my.vault.enable {`
			`services.vault-agent = {`
			`description = "Hashicorp Vault Agent";`
			`wants = [ "network.target" ];`
			`after = [ "network.target" ];`
			`wantedBy = [ "multi-user.target" ];`
			`path = with pkgs; [ glibc.bin ];`
			`serviceConfig = {`
			`RuntimeDirectory = "vault-agent";`
			`RuntimeDirectoryMode = "0700";`
			`StateDirectory = "vault-agent";`
			`StateDirectoryMode = "0700";`

			`DynamicUser = true;`
			`User = "vault-agent";`

			`ProtectSystem = "strict";`
			`ProtectHome = "yes";`

			`ExecStart = "${pkgs.vault}/bin/vault agent -config=${format.generate "vault-agent.json" config.my.vault.settings}";`
			`};`
			`};`

			`mounts = lib.optional (config.my.vault.bindMountStateTo != null) {`
			`unitConfig.RequiresMountsFor = "${config.my.vault.bindMountStateTo} /var/lib/private/vault-agent";`
			`options = "bind";`
			`what = config.my.vault.bindMountStateTo;`
			`where = "/var/lib/private/vault-agent";`
			`requiredBy = [ "vault-agent.service" ];`
			`before = [ "vault-agent.service" ];`
			`wantedBy = [ "vault-agent.service" ];`
			`};`
			`};`
			`};`
			`}`