etheroute-lon01: migrate to vault-agent-secrets

2022-03-11 14:40:55 +00:00 · 2022-03-11 14:40:55 +00:00 · c98f3312a7
commit c98f3312a7
parent 6e6e714cf1
1 changed files with 13 additions and 1 deletions
--- a/ops/nixos/etheroute-lon01/default.nix
+++ b/ops/nixos/etheroute-lon01/default.nix
@ -250,7 +250,7 @@ in {
  };
  services.pomerium = {
    enable = true;
-    secretsFile = machineSecrets.pomeriumSecrets;
+    secretsFile = config.my.vault.secrets.pomerium.path;

    settings = {
      address = ":443";
@ -361,6 +361,18 @@ in {
    ];
    reloadOrRestartUnits = [ "pomerium.service" ];
  };
+  my.vault.secrets.pomerium = {
+    template = ''
+      {{ with secret "kv/apps/pomerium" }}
+      COOKIE_SECRET={{ .Data.data.cookieSecret }}
+      SHARED_SECRET={{ .Data.data.sharedSecret }}
+      IDP_CLIENT_SECRET={{ .Data.data.idpClientSecret }}
+      SIGNING_KEY={{ .Data.data.signingKey }}
+      {{ end }}
+    '';
+    group = "root";
+    reloadOrRestartUnits = [ "pomerium.service" ];
+  };
  users.groups.acme = {};

  system.stateVersion = "20.09";