depot/ops/vault/cfg/config.nix
Luke Granger-Brown 7592e76a31 tokend: init
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.

It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00

51 lines
922 B
Nix

{ lib, config, ... }:
{
imports = [
./policies-raw.nix
./policies-app.nix
./authbackend-approle.nix
./authbackend-oidc.nix
./ssh-ca-client.nix
./ssh-ca-server.nix
./servers.nix
./acme-ca.nix
];
terraform = {
backend.gcs = {
bucket = "lukegb-terraform-state";
prefix = "depot/vault";
};
required_providers.vault = {
source = "hashicorp/vault";
version = "3.3.1";
};
};
provider.vault = {
address = "https://vault.int.lukegb.com";
};
data.vault_generic_secret.misc = {
path = "kv/misc-input";
};
my.apps.pomerium = {};
my.servers.etheroute-lon01.apps = [ "pomerium" ];
my.apps.sslrenew-raritan = {
policy = ''
# sslrenew-raritan is permitted to issue certificates.
path "acme/certs/*" {
capabilities = ["create"]
}
'';
};
my.servers.totoro.apps = [ "sslrenew-raritan" ];
}