diff --git a/ops/vault/cfg/config.nix b/ops/vault/cfg/config.nix index e5a434ee08..b3472b4e81 100644 --- a/ops/vault/cfg/config.nix +++ b/ops/vault/cfg/config.nix @@ -48,4 +48,14 @@ ''; }; my.servers.totoro.apps = [ "sslrenew-raritan" ]; + + my.apps.deployer.policy = '' + # Allow reading nix-daemon secrets + path "kv/data/apps/nix-daemon" { + capabilities = ["read"] + } + path "kv/metadata/apps/nix-daemon" { + capabilities = ["read"] + } + ''; } diff --git a/ops/vault/cfg/servers.nix b/ops/vault/cfg/servers.nix index 8f69785298..948045b6b0 100644 --- a/ops/vault/cfg/servers.nix +++ b/ops/vault/cfg/servers.nix @@ -25,7 +25,7 @@ let apps = mkOption { type = with types; listOf str; - default = []; + default = [ "deployer" ]; }; appPolicies = mkOption {