Luke Granger-Brown
7592e76a31
tokend is responsible for issuing service-scoped tokens based on the token held and generated by the Vault Agent. It can also generate "server-user" scoped tokens, which exist for convenience's sake: they are not a strong attestation of the user on the machine, and have limited privileges compared to a Vault token issued using e.g. `vault login -method=oidc`.
43 lines
1.1 KiB
Nix
43 lines
1.1 KiB
Nix
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
{ pkgs, config, depot, lib, ... }:
|
|
let
|
|
inherit (lib) mkOption types mkBefore mkIf;
|
|
|
|
cfg = config.my.vault.tokend;
|
|
in
|
|
{
|
|
options.my.vault.tokend = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
users.groups.tokend = {};
|
|
users.users.tokend = { isSystemUser = true; group = "tokend"; };
|
|
|
|
systemd.services.tokend = {
|
|
description = "Daemon for dynamically issuing Vault tokens based on connecting UID";
|
|
wants = [ "vault-agent.service" "network.target" ];
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
User = "tokend";
|
|
SupplementaryGroups = [ "vault-agent" ];
|
|
RuntimeDirectory = "tokend";
|
|
RuntimeDirectoryMode = "0755";
|
|
|
|
NoNewPrivileges = true;
|
|
ProtectSystem = "strict";
|
|
ProtectHome = "yes";
|
|
|
|
ExecStart = "${depot.go.tokend}/bin/tokend --logtostderr";
|
|
};
|
|
};
|
|
};
|
|
}
|