ops/vault: destroy existing secrets before provisioning a new one

ops/vault/default.nix

@@ -27,6 +27,9 @@
         exit $RET
       fi
       echo "$SECRET_ID" > /var/lib/vault-agent/secret-id
+
+      systemctl restart vault-agent
+      systemctl restart secretsmgr || true
     '';
   };
 }

ops/vault/reissue-secret-id.sh

@@ -10,5 +10,11 @@ export VAULT_ADDR=https://vault.int.lukegb.com/
 echo Checking login credentials... >&2
 vault token lookup >/dev/null || vault login -method=oidc role=admin >&2
 
+echo Destroying existing secrets for that server... >&2
+vault list -format=json "auth/approle/role/${server_name}/secret-id" | jq -r '.[]' | while read -r secret_id_accessor; do
+  echo -ne "\t$secret_id_accessor\n"
+  vault write "auth/approle/role/${server_name}/secret-id-accessor/destroy" secret_id_accessor="${secret_id_accessor}"
+done
+
 echo Creating new secret... >&2
-vault write -f -format=json -wrap-ttl=3m auth/approle/role/${server_name}/secret-id | jq -r '.wrap_info.token'
+vault write -f -format=json -wrap-ttl=3m "auth/approle/role/${server_name}/secret-id" | jq -r '.wrap_info.token'