37 lines
1.3 KiB
Nix
37 lines
1.3 KiB
Nix
{ ... }:
|
|
|
|
{
|
|
resource.vault_gcp_secret_roleset.lukegbcom_deployer = {
|
|
backend = "\${vault_gcp_secret_backend.gcp.path}";
|
|
roleset = "lukegbcom-deployer";
|
|
project = "lukegbcom";
|
|
secret_type = "access_token";
|
|
token_scopes = [
|
|
"https://www.googleapis.com/auth/cloud-platform"
|
|
"https://www.googleapis.com/auth/firebase"
|
|
];
|
|
binding = [{
|
|
resource = "//cloudresourcemanager.googleapis.com/projects/lukegbcom";
|
|
roles = ["roles/firebasehosting.admin"];
|
|
} {
|
|
resource = "buckets/lukegb-flipperzero";
|
|
roles = ["roles/storage.objectAdmin"];
|
|
}];
|
|
};
|
|
|
|
my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
|
|
path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
|
|
capabilities = ["read"]
|
|
}
|
|
'';
|
|
my.servers.cofractal-ams01.appPolicies.gitlab-runner = ''
|
|
path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
|
|
capabilities = ["read"]
|
|
}
|
|
'';
|
|
my.servers.rexxar.appPolicies.gitlab-runner = ''
|
|
path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
|
|
capabilities = ["read"]
|
|
}
|
|
'';
|
|
}
|