ops/raritan: migrate to using vault for username/password

2023-01-15 16:37:30 +00:00 · 2023-01-15 16:37:30 +00:00 · f053953bb6
commit f053953bb6
parent 35a9ec6bf5
2 changed files with 13 additions and 2 deletions
--- a/ops/nixos/totoro/default.nix
+++ b/ops/nixos/totoro/default.nix
@ -509,8 +509,6 @@ in {
        CERTIFICATE_DOMAIN=kvm.lukegb.xyz
        CERTIFICATE_ROLE=google-cloudflare
        RARITAN_IP=192.168.1.50
-        RARITAN_USERNAME=${secrets.raritan.sslrenew.username}
-        RARITAN_PASSWORD=${secrets.raritan.sslrenew.password}
      '';
      DynamicUser = true;
      User = "sslrenew-raritan";
--- a/ops/raritan/ssl-renew/lego.sh
+++ b/ops/raritan/ssl-renew/lego.sh
@ -2,6 +2,19 @@

 set -euo pipefail

+SECRET_JSON="$(@curl@/bin/curl \
+	-H "X-Vault-Request: true" \
+	--unix-socket "/run/tokend/sock" \
+	"http://localhost:8200/v1/kv/data/apps/sslrenew-raritan")"
+
+if [[ "$(@jq@/bin/jq .errors <(echo "$SECRET_JSON") 2>/dev/null)" != "null" ]]; then
+	@jq@/bin/jq .errors <(echo "$SECRET_JSON") >&2
+	exit 1
+fi
+
+RARITAN_USERNAME="$(@jq@/bin/jq -r .data.data.username <(echo "$SECRET_JSON"))"
+RARITAN_PASSWORD="$(@jq@/bin/jq -r .data.data.password <(echo "$SECRET_JSON"))"
+
 CERTIFICATE_JSON="$(@curl@/bin/curl \
 	-H "X-Vault-Request: true" \
 	-X PUT \