From dbaabf12950810927dfd8fe272cacfc2eaa133e3 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Thu, 24 Mar 2022 22:20:44 +0000 Subject: [PATCH] vault: deployer should be allowed to read nix-daemon secrets --- ops/vault/cfg/config.nix | 10 ++++++++++ ops/vault/cfg/servers.nix | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ops/vault/cfg/config.nix b/ops/vault/cfg/config.nix index e5a434ee08..b3472b4e81 100644 --- a/ops/vault/cfg/config.nix +++ b/ops/vault/cfg/config.nix @@ -48,4 +48,14 @@ ''; }; my.servers.totoro.apps = [ "sslrenew-raritan" ]; + + my.apps.deployer.policy = '' + # Allow reading nix-daemon secrets + path "kv/data/apps/nix-daemon" { + capabilities = ["read"] + } + path "kv/metadata/apps/nix-daemon" { + capabilities = ["read"] + } + ''; } diff --git a/ops/vault/cfg/servers.nix b/ops/vault/cfg/servers.nix index 8f69785298..948045b6b0 100644 --- a/ops/vault/cfg/servers.nix +++ b/ops/vault/cfg/servers.nix @@ -25,7 +25,7 @@ let apps = mkOption { type = with types; listOf str; - default = []; + default = [ "deployer" ]; }; appPolicies = mkOption {