Luke Granger-Brown
7592e76a31
tokend is responsible for issuing service-scoped tokens based on the token held and generated by the Vault Agent. It can also generate "server-user" scoped tokens, which exist for convenience's sake: they are not a strong attestation of the user on the machine, and have limited privileges compared to a Vault token issued using e.g. `vault login -method=oidc`.
51 lines
922 B
Nix
51 lines
922 B
Nix
{ lib, config, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./policies-raw.nix
|
|
./policies-app.nix
|
|
|
|
./authbackend-approle.nix
|
|
./authbackend-oidc.nix
|
|
|
|
./ssh-ca-client.nix
|
|
./ssh-ca-server.nix
|
|
|
|
./servers.nix
|
|
|
|
./acme-ca.nix
|
|
];
|
|
|
|
terraform = {
|
|
backend.gcs = {
|
|
bucket = "lukegb-terraform-state";
|
|
prefix = "depot/vault";
|
|
};
|
|
|
|
required_providers.vault = {
|
|
source = "hashicorp/vault";
|
|
version = "3.3.1";
|
|
};
|
|
};
|
|
|
|
provider.vault = {
|
|
address = "https://vault.int.lukegb.com";
|
|
};
|
|
|
|
data.vault_generic_secret.misc = {
|
|
path = "kv/misc-input";
|
|
};
|
|
|
|
my.apps.pomerium = {};
|
|
my.servers.etheroute-lon01.apps = [ "pomerium" ];
|
|
|
|
my.apps.sslrenew-raritan = {
|
|
policy = ''
|
|
# sslrenew-raritan is permitted to issue certificates.
|
|
path "acme/certs/*" {
|
|
capabilities = ["create"]
|
|
}
|
|
'';
|
|
};
|
|
my.servers.totoro.apps = [ "sslrenew-raritan" ];
|
|
}
|