ops/vault/cfg: where we're going, we don't need secrets.nix

2022-03-16 00:06:46 +00:00 · 2022-03-16 00:06:46 +00:00 · fb7e18260a
commit fb7e18260a
parent 165fc4559c
2 changed files with 5 additions and 3 deletions
--- a/ops/vault/cfg/authbackend-oidc.nix
+++ b/ops/vault/cfg/authbackend-oidc.nix
@ -7,7 +7,7 @@

    oidc_discovery_url = "https://accounts.google.com";
    oidc_client_id = "620300851636-6ha1a7t9r4gatrn9gdqa82toem3cbq3b.apps.googleusercontent.com";
-    # oidc_client_secret in secrets.nix
+    oidc_client_secret = "\${data.vault_generic_secret.misc.data[\"oidcAuthToken\"]}";
  };

  my.authBackend.oidc = {
--- a/ops/vault/cfg/config.nix
+++ b/ops/vault/cfg/config.nix
@ -2,8 +2,6 @@

 {
  imports = [
-    ./secrets.nix
-
    ./policies-raw.nix
    ./policies-app.nix

@ -32,6 +30,10 @@
    address = "https://vault.int.lukegb.com";
  };

+  data.vault_generic_secret.misc = {
+    path = "kv/misc-input";
+  };
+
  my.apps.pomerium = {};
  my.servers.etheroute-lon01.apps = [ "pomerium" ];
 }