lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

ops/vault: use wrapping token to protect secret IDs in transit

Browse source
This commit is contained in:
Luke Granger-Brown 2022-03-20 10:14:02 +00:00
parent 829d179d37
commit 132cb805b3
3 changed files with 28 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
ops/nixos/lib/common.nix
View file

@ -133,6 +133,7 @@ in
iftop htop jq iftop htop jq
depot.nix.pkgs.mercurial depot.nix.pkgs.mercurial
switch-prebuilt switch-prebuilt
depot.ops.vault.provision-secret-id
]; ];
networking.useDHCP = false; networking.useDHCP = false;

27
ops/vault/default.nix
View file

@ -2,6 +2,31 @@
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
args: { { pkgs, ... }@args: {
cfg = import ./cfg args; cfg = import ./cfg args;
provision-secret-id = pkgs.writeShellApplication {
name = "provision-secret-id";
runtimeInputs = with pkgs; [ vault ];
text = ''
set -euo pipefail
export VAULT_ADDR=https://vault.int.lukegb.com/
if [[ "$(id -u)" != 0 ]]; then
echo Must be run as root >&2
exit 1
fi
echo -n "Secret wrapping token: "
read -r secret_id
SECRET_ID="$(vault unwrap -field=secret_id "''${secret_id}")"
RET="$?"
if [[ "$RET" != 0 ]]; then
exit $RET
fi
echo "$SECRET_ID" > /var/lib/vault-agent/secret-id
'';
};
} }

2
ops/vault/reissue-secret-id.sh
View file

@ -11,4 +11,4 @@ echo Checking login credentials... >&2
vault token lookup >/dev/null || vault login -method=oidc role=admin >&2 vault token lookup >/dev/null || vault login -method=oidc role=admin >&2
echo Creating new secret... >&2 echo Creating new secret... >&2
vault write -f -format=json auth/approle/role/${server_name}/secret-id | jq -r '.data.secret_id' vault write -f -format=json -wrap-ttl=3m auth/approle/role/${server_name}/secret-id | jq -r '.wrap_info.token'