nixos/vault-agent: listen on UDS only
This UDS is going to be private to vault-agent and tokend (which doesn't exist yet). As a stopgap, for the moment, secretsmgrd will be granted direct access to speak to the Vault Agent over the UDS. tokend will be responsible for provisioning applications with tokens, by issuing subtokens which have roles corresponding to the user account requesting access.
This commit is contained in:
parent
d97a1b7437
commit
58a907b700
1 changed files with 3 additions and 3 deletions
|
@ -53,8 +53,8 @@ in
|
||||||
}];
|
}];
|
||||||
cache.use_auto_auth_token = mkDefault true;
|
cache.use_auto_auth_token = mkDefault true;
|
||||||
|
|
||||||
listener.tcp = {
|
listener.unix = {
|
||||||
address = mkDefault "127.0.0.1:8200";
|
address = mkDefault "/run/vault-agent/sock";
|
||||||
tls_disable = mkDefault true;
|
tls_disable = mkDefault true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -72,7 +72,7 @@ in
|
||||||
environment.VAULT_CLIENT_TIMEOUT = "15m";
|
environment.VAULT_CLIENT_TIMEOUT = "15m";
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
RuntimeDirectory = "vault-agent";
|
RuntimeDirectory = "vault-agent";
|
||||||
RuntimeDirectoryMode = "0700";
|
RuntimeDirectoryMode = "0750";
|
||||||
StateDirectory = "vault-agent";
|
StateDirectory = "vault-agent";
|
||||||
StateDirectoryMode = "0700";
|
StateDirectoryMode = "0700";
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue