vault: deployer should be allowed to read nix-daemon secrets

This commit is contained in:
Luke Granger-Brown 2022-03-24 22:20:44 +00:00
parent b8acd6e31b
commit dbaabf1295
2 changed files with 11 additions and 1 deletions

View file

@ -48,4 +48,14 @@
''; '';
}; };
my.servers.totoro.apps = [ "sslrenew-raritan" ]; my.servers.totoro.apps = [ "sslrenew-raritan" ];
my.apps.deployer.policy = ''
# Allow reading nix-daemon secrets
path "kv/data/apps/nix-daemon" {
capabilities = ["read"]
}
path "kv/metadata/apps/nix-daemon" {
capabilities = ["read"]
}
'';
} }

View file

@ -25,7 +25,7 @@ let
apps = mkOption { apps = mkOption {
type = with types; listOf str; type = with types; listOf str;
default = []; default = [ "deployer" ];
}; };
appPolicies = mkOption { appPolicies = mkOption {