From f053953bb616afe56c69429acb384b4505de2db5 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Sun, 15 Jan 2023 16:37:30 +0000
Subject: [PATCH] ops/raritan: migrate to using vault for username/password

---
 ops/nixos/totoro/default.nix  |  2 --
 ops/raritan/ssl-renew/lego.sh | 13 +++++++++++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/ops/nixos/totoro/default.nix b/ops/nixos/totoro/default.nix
index df3bdf109f..d9515a8ffb 100644
--- a/ops/nixos/totoro/default.nix
+++ b/ops/nixos/totoro/default.nix
@@ -509,8 +509,6 @@ in {
         CERTIFICATE_DOMAIN=kvm.lukegb.xyz
         CERTIFICATE_ROLE=google-cloudflare
         RARITAN_IP=192.168.1.50
-        RARITAN_USERNAME=${secrets.raritan.sslrenew.username}
-        RARITAN_PASSWORD=${secrets.raritan.sslrenew.password}
       '';
       DynamicUser = true;
       User = "sslrenew-raritan";
diff --git a/ops/raritan/ssl-renew/lego.sh b/ops/raritan/ssl-renew/lego.sh
index cfdd396956..81ceb5ce8f 100755
--- a/ops/raritan/ssl-renew/lego.sh
+++ b/ops/raritan/ssl-renew/lego.sh
@@ -2,6 +2,19 @@
 
 set -euo pipefail
 
+SECRET_JSON="$(@curl@/bin/curl \
+	-H "X-Vault-Request: true" \
+	--unix-socket "/run/tokend/sock" \
+	"http://localhost:8200/v1/kv/data/apps/sslrenew-raritan")"
+
+if [[ "$(@jq@/bin/jq .errors <(echo "$SECRET_JSON") 2>/dev/null)" != "null" ]]; then
+	@jq@/bin/jq .errors <(echo "$SECRET_JSON") >&2
+	exit 1
+fi
+
+RARITAN_USERNAME="$(@jq@/bin/jq -r .data.data.username <(echo "$SECRET_JSON"))"
+RARITAN_PASSWORD="$(@jq@/bin/jq -r .data.data.password <(echo "$SECRET_JSON"))"
+
 CERTIFICATE_JSON="$(@curl@/bin/curl \
 	-H "X-Vault-Request: true" \
 	-X PUT \