lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

ops/raritan: migrate to using vault for username/password

Browse source
This commit is contained in:
Luke Granger-Brown 2023-01-15 16:37:30 +00:00
parent 35a9ec6bf5
commit f053953bb6
2 changed files with 13 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
ops/nixos/totoro/default.nix
View file

@ -509,8 +509,6 @@ in {
CERTIFICATE_DOMAIN=kvm.lukegb.xyz CERTIFICATE_DOMAIN=kvm.lukegb.xyz
CERTIFICATE_ROLE=google-cloudflare CERTIFICATE_ROLE=google-cloudflare
RARITAN_IP=192.168.1.50 RARITAN_IP=192.168.1.50
RARITAN_USERNAME=${secrets.raritan.sslrenew.username}
RARITAN_PASSWORD=${secrets.raritan.sslrenew.password}
''; '';
DynamicUser = true; DynamicUser = true;
User = "sslrenew-raritan"; User = "sslrenew-raritan";

13
ops/raritan/ssl-renew/lego.sh
View file

@ -2,6 +2,19 @@
set -euo pipefail set -euo pipefail
SECRET_JSON="$(@curl@/bin/curl \
-H "X-Vault-Request: true" \
--unix-socket "/run/tokend/sock" \
"http://localhost:8200/v1/kv/data/apps/sslrenew-raritan")"
if [[ "$(@jq@/bin/jq .errors <(echo "$SECRET_JSON") 2>/dev/null)" != "null" ]]; then
@jq@/bin/jq .errors <(echo "$SECRET_JSON") >&2
exit 1
fi
RARITAN_USERNAME="$(@jq@/bin/jq -r .data.data.username <(echo "$SECRET_JSON"))"
RARITAN_PASSWORD="$(@jq@/bin/jq -r .data.data.password <(echo "$SECRET_JSON"))"
CERTIFICATE_JSON="$(@curl@/bin/curl \ CERTIFICATE_JSON="$(@curl@/bin/curl \
-H "X-Vault-Request: true" \ -H "X-Vault-Request: true" \
-X PUT \ -X PUT \