From c98f3312a75662d4c249fef6f9ea37b58230e58c Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Fri, 11 Mar 2022 14:40:55 +0000
Subject: [PATCH] etheroute-lon01: migrate to vault-agent-secrets

---
 ops/nixos/etheroute-lon01/default.nix | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix
index cb933da0a6..b7b6452eb3 100644
--- a/ops/nixos/etheroute-lon01/default.nix
+++ b/ops/nixos/etheroute-lon01/default.nix
@@ -250,7 +250,7 @@ in {
   };
   services.pomerium = {
     enable = true;
-    secretsFile = machineSecrets.pomeriumSecrets;
+    secretsFile = config.my.vault.secrets.pomerium.path;
 
     settings = {
       address = ":443";
@@ -361,6 +361,18 @@ in {
     ];
     reloadOrRestartUnits = [ "pomerium.service" ];
   };
+  my.vault.secrets.pomerium = {
+    template = ''
+      {{ with secret "kv/apps/pomerium" }}
+      COOKIE_SECRET={{ .Data.data.cookieSecret }}
+      SHARED_SECRET={{ .Data.data.sharedSecret }}
+      IDP_CLIENT_SECRET={{ .Data.data.idpClientSecret }}
+      SIGNING_KEY={{ .Data.data.signingKey }}
+      {{ end }}
+    '';
+    group = "root";
+    reloadOrRestartUnits = [ "pomerium.service" ];
+  };
   users.groups.acme = {};
 
   system.stateVersion = "20.09";