61 lines
1.1 KiB
Nix
61 lines
1.1 KiB
Nix
{ lib, config, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./policies-raw.nix
|
|
./policies-app.nix
|
|
|
|
./authbackend-approle.nix
|
|
./authbackend-oidc.nix
|
|
|
|
./ssh-ca-client.nix
|
|
./ssh-ca-server.nix
|
|
|
|
./servers.nix
|
|
|
|
./acme-ca.nix
|
|
];
|
|
|
|
terraform = {
|
|
backend.gcs = {
|
|
bucket = "lukegb-terraform-state";
|
|
prefix = "depot/vault";
|
|
};
|
|
|
|
required_providers.vault = {
|
|
source = "hashicorp/vault";
|
|
version = "3.3.1";
|
|
};
|
|
};
|
|
|
|
provider.vault = {
|
|
address = "https://vault.int.lukegb.com";
|
|
};
|
|
|
|
data.vault_generic_secret.misc = {
|
|
path = "kv/misc-input";
|
|
};
|
|
|
|
my.apps.pomerium = {};
|
|
my.servers.etheroute-lon01.apps = [ "pomerium" ];
|
|
|
|
my.apps.sslrenew-raritan = {
|
|
policy = ''
|
|
# sslrenew-raritan is permitted to issue certificates.
|
|
path "acme/certs/*" {
|
|
capabilities = ["create"]
|
|
}
|
|
'';
|
|
};
|
|
my.servers.totoro.apps = [ "sslrenew-raritan" ];
|
|
|
|
my.apps.deployer.policy = ''
|
|
# Allow reading nix-daemon secrets
|
|
path "kv/data/apps/nix-daemon" {
|
|
capabilities = ["read"]
|
|
}
|
|
path "kv/metadata/apps/nix-daemon" {
|
|
capabilities = ["read"]
|
|
}
|
|
'';
|
|
}
|