From 58a907b700ab44b925a7fdc7de4496fefa485054 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sun, 20 Mar 2022 11:14:51 +0000 Subject: [PATCH] nixos/vault-agent: listen on UDS only This UDS is going to be private to vault-agent and tokend (which doesn't exist yet). As a stopgap, for the moment, secretsmgrd will be granted direct access to speak to the Vault Agent over the UDS. tokend will be responsible for provisioning applications with tokens, by issuing subtokens which have roles corresponding to the user account requesting access. --- ops/nixos/lib/vault-agent.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ops/nixos/lib/vault-agent.nix b/ops/nixos/lib/vault-agent.nix index 326c4ad913..fb8fa450ac 100644 --- a/ops/nixos/lib/vault-agent.nix +++ b/ops/nixos/lib/vault-agent.nix @@ -53,8 +53,8 @@ in }]; cache.use_auto_auth_token = mkDefault true; - listener.tcp = { - address = mkDefault "127.0.0.1:8200"; + listener.unix = { + address = mkDefault "/run/vault-agent/sock"; tls_disable = mkDefault true; }; }; @@ -72,7 +72,7 @@ in environment.VAULT_CLIENT_TIMEOUT = "15m"; serviceConfig = { RuntimeDirectory = "vault-agent"; - RuntimeDirectoryMode = "0700"; + RuntimeDirectoryMode = "0750"; StateDirectory = "vault-agent"; StateDirectoryMode = "0700";