vault: deployer should be allowed to read nix-daemon secrets
This commit is contained in:
parent
b8acd6e31b
commit
dbaabf1295
2 changed files with 11 additions and 1 deletions
|
@ -48,4 +48,14 @@
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
my.servers.totoro.apps = [ "sslrenew-raritan" ];
|
my.servers.totoro.apps = [ "sslrenew-raritan" ];
|
||||||
|
|
||||||
|
my.apps.deployer.policy = ''
|
||||||
|
# Allow reading nix-daemon secrets
|
||||||
|
path "kv/data/apps/nix-daemon" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
path "kv/metadata/apps/nix-daemon" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -25,7 +25,7 @@ let
|
||||||
|
|
||||||
apps = mkOption {
|
apps = mkOption {
|
||||||
type = with types; listOf str;
|
type = with types; listOf str;
|
||||||
default = [];
|
default = [ "deployer" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
appPolicies = mkOption {
|
appPolicies = mkOption {
|
||||||
|
|
Loading…
Reference in a new issue