# Allow everyone to manage things under kv/server/ path "kv/data/server/{{identity.entity.name}}/*" { capabilities = ["create", "update", "read", "delete"] } path "kv/metadata/server/{{identity.entity.name}}/*" { capabilities = ["list"] } path "kv/metadata/server" { capabilities = ["list"] } # Can read secrets for their own Wireguard keys. path "kv/data/apps/wireguard/{{identity.entity.name}}" { capabilities = ["read"] } path "kv/metadata/apps/wireguard/{{identity.entity.name}}" { capabilities = ["read"] } path "kv/metadata/+" { capabilities = ["list"] } path "acme/certs/*" { capabilities = ["create"] } # Servers can always get nix-daemon data path "kv/data/apps/nix-daemon" { capabilities = ["read"] } path "kv/metadata/apps/nix-daemon" { capabilities = ["read"] } # Servers can issue sub-tokens. path "auth/token/create" { capabilities = ["update"] }