lukegb/depot
1
0
Fork 0
Code Issues1 Pull requests Projects Packages Activity Actions

etheroute-lon01: migrate to vault-agent-secrets

Browse source
This commit is contained in:
Luke Granger-Brown 2022-03-11 14:40:55 +00:00
parent 6e6e714cf1
commit c98f3312a7
1 changed files with 13 additions and 1 deletions

14
ops/nixos/etheroute-lon01/default.nix
View file

@ -250,7 +250,7 @@ in {
}; };
services.pomerium = { services.pomerium = {
enable = true; enable = true;
secretsFile = machineSecrets.pomeriumSecrets; secretsFile = config.my.vault.secrets.pomerium.path;
settings = { settings = {
address = ":443"; address = ":443";
@ -361,6 +361,18 @@ in {
]; ];
reloadOrRestartUnits = [ "pomerium.service" ]; reloadOrRestartUnits = [ "pomerium.service" ];
}; };
my.vault.secrets.pomerium = {
template = ''
{{ with secret "kv/apps/pomerium" }}
COOKIE_SECRET={{ .Data.data.cookieSecret }}
SHARED_SECRET={{ .Data.data.sharedSecret }}
IDP_CLIENT_SECRET={{ .Data.data.idpClientSecret }}
SIGNING_KEY={{ .Data.data.signingKey }}
{{ end }}
'';
group = "root";
reloadOrRestartUnits = [ "pomerium.service" ];
};
users.groups.acme = {}; users.groups.acme = {};
system.stateVersion = "20.09"; system.stateVersion = "20.09";