vault: deployer should be allowed to read nix-daemon secrets

2022-03-24 22:20:44 +00:00 · 2022-03-24 22:20:44 +00:00 · dbaabf1295
commit dbaabf1295
parent b8acd6e31b
2 changed files with 11 additions and 1 deletions
--- a/ops/vault/cfg/config.nix
+++ b/ops/vault/cfg/config.nix
@ -48,4 +48,14 @@
    '';
  };
  my.servers.totoro.apps = [ "sslrenew-raritan" ];
+
+  my.apps.deployer.policy = ''
+    # Allow reading nix-daemon secrets
+    path "kv/data/apps/nix-daemon" {
+      capabilities = ["read"]
+    }
+    path "kv/metadata/apps/nix-daemon" {
+      capabilities = ["read"]
+    }
+  '';
 }
--- a/ops/vault/cfg/servers.nix
+++ b/ops/vault/cfg/servers.nix
@ -25,7 +25,7 @@ let

      apps = mkOption {
        type = with types; listOf str;
-        default = [];
+        default = [ "deployer" ];
      };

      appPolicies = mkOption {