lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

ops/vault: create binary-cache-deployer

Browse source
This commit is contained in:
Luke Granger-Brown 2023-02-25 22:16:56 +00:00
parent d901b12f91
commit 08d59f4e20
3 changed files with 35 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
ops/vault/cfg/binary-cache-deployer.nix Normal file
View file

@ -0,0 +1,28 @@
{ ... }:
{
resource.vault_gcp_secret_roleset.binary_cache_deployer = {
backend = "\${vault_gcp_secret_backend.gcp.path}";
roleset = "binary-cache-deployer";
project = "lukegb-nix";
secret_type = "access_token";
token_scopes = [
"https://www.googleapis.com/auth/devstorage.read_write"
];
binding = [{
resource = "buckets/lukegb-nix-cache";
roles = ["roles/storage.objectAdmin"];
}];
};
my.servers.cofractal-ams01.appPolicies.gitlab-runner = ''
path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
capabilities = ["read"]
}
'';
my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
capabilities = ["read"]
}
'';
}

2
ops/vault/cfg/config.nix
View file

@ -17,6 +17,7 @@
./acme-ca.nix ./acme-ca.nix
./lukegbcom-deployer.nix ./lukegbcom-deployer.nix
./binary-cache-deployer.nix
]; ];
terraform = { terraform = {
@ -74,6 +75,7 @@
my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" "ads-b" ]; my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" "ads-b" ];
my.servers.clouvider-fra01.apps = [ "deluge" ]; my.servers.clouvider-fra01.apps = [ "deluge" ];
my.servers.clouvider-lon01.apps = [ "quotesdb" "gitlab-runner" ]; my.servers.clouvider-lon01.apps = [ "quotesdb" "gitlab-runner" ];
my.servers.cofractal-ams01.apps = [ "deluge" "gitlab-runner" ];
my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ]; my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ];
my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ]; my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ];
my.servers.bvm-prosody.apps = [ "turn" ]; my.servers.bvm-prosody.apps = [ "turn" ];

5
ops/vault/cfg/lukegbcom-deployer.nix
View file

@ -24,4 +24,9 @@
capabilities = ["read"] capabilities = ["read"]
} }
''; '';
my.servers.cofractal-ams01.appPolicies.gitlab-runner = ''
path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
capabilities = ["read"]
}
'';
} }