ops/nixos: add some vault-agent setup
This commit is contained in:
parent
3ad4c2399a
commit
7c418666fe
4 changed files with 141 additions and 4 deletions
|
@ -15,7 +15,10 @@ let
|
|||
mkDefault = lib.mkOverride 900;
|
||||
in
|
||||
{
|
||||
imports = [ ../../../third_party/home-manager/nixos ];
|
||||
imports = [
|
||||
../../../third_party/home-manager/nixos
|
||||
./vault-agent.nix
|
||||
];
|
||||
|
||||
options.my.specialisationName = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
|
|
88
ops/nixos/lib/vault-agent.nix
Normal file
88
ops/nixos/lib/vault-agent.nix
Normal file
|
@ -0,0 +1,88 @@
|
|||
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
{ pkgs, config, depot, lib, ... }:
|
||||
let
|
||||
inherit (lib) mkEnableOption mkOption types;
|
||||
mkDefault = lib.mkOverride 900;
|
||||
|
||||
format = pkgs.formats.json {};
|
||||
in
|
||||
{
|
||||
options.my.vault = {
|
||||
enable = mkEnableOption "vault agent";
|
||||
roleID = mkOption {
|
||||
type = types.str;
|
||||
default = config.networking.hostName;
|
||||
};
|
||||
secretIDPath = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/vault-agent/secret-id";
|
||||
};
|
||||
settings = mkOption {
|
||||
type = format.type;
|
||||
default = {};
|
||||
};
|
||||
bindMountStateTo = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
my.vault.enable = mkDefault true;
|
||||
my.vault.settings = mkDefault {
|
||||
pid_file = "/run/vault-agent/pid";
|
||||
vault.address = "https://vault.int.lukegb.com";
|
||||
auto_auth.method = [{
|
||||
type = "approle";
|
||||
config = {
|
||||
role_id_file_path = pkgs.writeText "${config.my.vault.roleID}-role-id" config.my.vault.roleID;
|
||||
secret_id_file_path = config.my.vault.secretIDPath;
|
||||
remove_secret_id_file_after_reading = false;
|
||||
};
|
||||
}];
|
||||
cache.use_auto_auth_token = true;
|
||||
|
||||
listener.tcp = {
|
||||
address = "127.0.0.1:8200";
|
||||
tls_disable = true;
|
||||
};
|
||||
};
|
||||
|
||||
systemd = lib.optionalAttrs config.my.vault.enable {
|
||||
services.vault-agent = {
|
||||
description = "Hashicorp Vault Agent";
|
||||
wants = [ "network.target" ];
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = with pkgs; [ glibc.bin ];
|
||||
serviceConfig = {
|
||||
RuntimeDirectory = "vault-agent";
|
||||
RuntimeDirectoryMode = "0700";
|
||||
StateDirectory = "vault-agent";
|
||||
StateDirectoryMode = "0700";
|
||||
|
||||
DynamicUser = true;
|
||||
User = "vault-agent";
|
||||
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = "yes";
|
||||
|
||||
ExecStart = "${pkgs.vault}/bin/vault agent -config=${format.generate "vault-agent.json" config.my.vault.settings}";
|
||||
};
|
||||
};
|
||||
|
||||
mounts = lib.optional (config.my.vault.bindMountStateTo != null) {
|
||||
unitConfig.RequiresMountsFor = "${config.my.vault.bindMountStateTo} /var/lib/private/vault-agent";
|
||||
options = "bind";
|
||||
what = config.my.vault.bindMountStateTo;
|
||||
where = "/var/lib/private/vault-agent";
|
||||
requiredBy = [ "vault-agent.service" ];
|
||||
before = [ "vault-agent.service" ];
|
||||
wantedBy = [ "vault-agent.service" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
{ lib, config, ... }:
|
||||
let
|
||||
inherit (lib) mkOption types mkAfter mkIf;
|
||||
inherit (lib) mkOption types mkAfter mkIf mkDefault;
|
||||
robCfg = config.services.zfs.rollbackOnBoot;
|
||||
in
|
||||
{
|
||||
|
@ -31,11 +31,13 @@ in
|
|||
enable = true;
|
||||
monthly = 1;
|
||||
};
|
||||
systemd.tmpfiles.rules = lib.mkAfter (builtins.map (x: "L ${x} - - - - /persist{x}") robCfg.keepPaths);
|
||||
systemd.tmpfiles.rules = mkAfter (builtins.map (x: "L ${x} - - - - /persist{x}") robCfg.keepPaths);
|
||||
|
||||
boot.initrd.postDeviceCommands = mkIf robCfg.enable
|
||||
(mkAfter ''
|
||||
zfs rollback -r ${robCfg.snapshot}
|
||||
'');
|
||||
|
||||
my.vault.bindMountStateTo = mkIf robCfg.enable (mkDefault "/persist/var/lib/vault-agent");
|
||||
};
|
||||
}
|
||||
}
|
||||
|
|
44
ops/vault/create-server.sh
Executable file
44
ops/vault/create-server.sh
Executable file
|
@ -0,0 +1,44 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -p vault -p jq -i bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
readonly server_name=${1}
|
||||
|
||||
export VAULT_ADDR=https://vault.int.lukegb.com/
|
||||
|
||||
echo Checking login credentials...
|
||||
vault token lookup >/dev/null || vault login -method=oidc role=admin
|
||||
|
||||
echo Grabbing approle accessor...
|
||||
APPROLE_ACCESSOR="$(vault auth list -format=json | jq -r '.["approle/"].accessor')"
|
||||
echo -ne "\t${APPROLE_ACCESSOR}\n"
|
||||
|
||||
echo Creating new approle...
|
||||
vault write auth/approle/role/${server_name} \
|
||||
secret_id_num_uses=0 \
|
||||
secret_id_ttl="" \
|
||||
token_ttl=20m \
|
||||
token_max_ttl=30m \
|
||||
token_policies="default,server" \
|
||||
token_max_uses=0
|
||||
|
||||
echo Setting role-id...
|
||||
vault write auth/approle/role/${server_name}/role-id role_id=${server_name}
|
||||
|
||||
echo Creating new secret...
|
||||
SECRET_ID="$(vault write -f -format=json auth/approle/role/${server_name}/secret-id | jq -r '.data.secret_id')"
|
||||
echo -ne "\t$SECRET_ID\n"
|
||||
|
||||
echo Creating entity...
|
||||
ENTITY_ID="$(vault write -format=json identity/entity \
|
||||
name="${server_name}" \
|
||||
policies="server" \
|
||||
metadata="server=${server_name}" | jq -r '.data.id')"
|
||||
echo -ne "\t$ENTITY_ID\n"
|
||||
|
||||
echo Creating entity alias...
|
||||
vault write identity/entity-alias \
|
||||
name="${server_name}" \
|
||||
canonical_id="${ENTITY_ID}" \
|
||||
mount_accessor="${APPROLE_ACCESSOR}"
|
Loading…
Reference in a new issue