diff --git a/ops/vault/default.nix b/ops/vault/default.nix index 6ec9f21681..1c3e66e3c6 100644 --- a/ops/vault/default.nix +++ b/ops/vault/default.nix @@ -27,6 +27,9 @@ exit $RET fi echo "$SECRET_ID" > /var/lib/vault-agent/secret-id + + systemctl restart vault-agent + systemctl restart secretsmgr || true ''; }; } diff --git a/ops/vault/reissue-secret-id.sh b/ops/vault/reissue-secret-id.sh index 0a144e2b38..ae0e8bf5d8 100755 --- a/ops/vault/reissue-secret-id.sh +++ b/ops/vault/reissue-secret-id.sh @@ -10,5 +10,11 @@ export VAULT_ADDR=https://vault.int.lukegb.com/ echo Checking login credentials... >&2 vault token lookup >/dev/null || vault login -method=oidc role=admin >&2 +echo Destroying existing secrets for that server... >&2 +vault list -format=json "auth/approle/role/${server_name}/secret-id" | jq -r '.[]' | while read -r secret_id_accessor; do + echo -ne "\t$secret_id_accessor\n" + vault write "auth/approle/role/${server_name}/secret-id-accessor/destroy" secret_id_accessor="${secret_id_accessor}" +done + echo Creating new secret... >&2 -vault write -f -format=json -wrap-ttl=3m auth/approle/role/${server_name}/secret-id | jq -r '.wrap_info.token' +vault write -f -format=json -wrap-ttl=3m "auth/approle/role/${server_name}/secret-id" | jq -r '.wrap_info.token'