28 lines
941 B
Nix
28 lines
941 B
Nix
{ ... }:
|
|
|
|
{
|
|
resource.vault_gcp_secret_roleset.binary_cache_deployer = {
|
|
backend = "\${vault_gcp_secret_backend.gcp.path}";
|
|
roleset = "binary-cache-deployer";
|
|
project = "lukegb-nix";
|
|
secret_type = "access_token";
|
|
token_scopes = [
|
|
"https://www.googleapis.com/auth/devstorage.read_write"
|
|
];
|
|
binding = [{
|
|
resource = "buckets/lukegb-nix-cache";
|
|
roles = ["roles/storage.objectAdmin"];
|
|
}];
|
|
};
|
|
|
|
my.servers.cofractal-ams01.appPolicies.gitlab-runner = ''
|
|
path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
|
|
capabilities = ["read"]
|
|
}
|
|
'';
|
|
my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
|
|
path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
|
|
capabilities = ["read"]
|
|
}
|
|
'';
|
|
}
|