nixos/vault-agent: listen on UDS only

This UDS is going to be private to vault-agent and tokend (which doesn't exist
yet).

As a stopgap, for the moment, secretsmgrd will be granted direct access to
speak to the Vault Agent over the UDS.

tokend will be responsible for provisioning applications with tokens, by
issuing subtokens which have roles corresponding to the user account requesting
access.
This commit is contained in:
Luke Granger-Brown 2022-03-20 11:14:51 +00:00
parent d97a1b7437
commit 58a907b700

View file

@ -53,8 +53,8 @@ in
}]; }];
cache.use_auto_auth_token = mkDefault true; cache.use_auto_auth_token = mkDefault true;
listener.tcp = { listener.unix = {
address = mkDefault "127.0.0.1:8200"; address = mkDefault "/run/vault-agent/sock";
tls_disable = mkDefault true; tls_disable = mkDefault true;
}; };
}; };
@ -72,7 +72,7 @@ in
environment.VAULT_CLIENT_TIMEOUT = "15m"; environment.VAULT_CLIENT_TIMEOUT = "15m";
serviceConfig = { serviceConfig = {
RuntimeDirectory = "vault-agent"; RuntimeDirectory = "vault-agent";
RuntimeDirectoryMode = "0700"; RuntimeDirectoryMode = "0750";
StateDirectory = "vault-agent"; StateDirectory = "vault-agent";
StateDirectoryMode = "0700"; StateDirectoryMode = "0700";