Automate vault setup

README.md

@@ -237,40 +237,7 @@ $ journalctl -u hetzner-certbot
 ```
 
 #### Configuring Vault
-##### Creating the Database
-Log-in as the `postgres` user and execute the following SQL commands.
-```sql
-CREATE DATABASE vault;
-
-CREATE USER vault WITH ENCRYPTED PASSWORD 'change to value of vault_db_password_$ENVIRONMENT';
-
-GRANT ALL PRIVILEGES ON DATABASE vault TO vault;
-\c vault
-CREATE TABLE vault_kv_store (
-  parent_path TEXT COLLATE "C" NOT NULL,
-  path        TEXT COLLATE "C",
-  key         TEXT COLLATE "C",
-  value       BYTEA,
-  CONSTRAINT pkey PRIMARY KEY (path, key)
-);
-CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
-GRANT ALL PRIVILEGES ON TABLE vault_kv_store TO vault;
-```
-Be sure to replace the password with the value which is set for `vault_db_password_production` in `secrets.json`.
-```sh
-$ sudo su -l postgres
-$ psql
-[.. SQL commands ..]
-$ exit
-```
-Afterwards, restart Vault.
-```sh
-$ systemctl restart vault
-$ systemctl status vault
-```
-
-##### Initializing Vault
-You can now access Vault on port 9443 via any hostname behind the load balancer [https://guidelines.ch:9443/](https://guidelines.ch:9443/).
+You can access Vault on port 9443 via any hostname behind the load balancer [https://guidelines.ch:9443/](https://guidelines.ch:9443/).
 As a first step, you will need to create a master key (set) which is used to unseal Vault on each startup.
 To use just one master key, initialize Vault with "Key shares" and "Key threshold" both set to "1".
 The "initial root token" is used to authenticate as an administrator with the Vault API or web UI

infrastructure/modules/compute/nix/postgresql.nix

@@ -7,6 +7,23 @@
   services.postgresql.authentication = ''
     host  all all 10.88.0.0/16 trust
   '';
+  services.postgresql.initialScript = pkgs.writeText "backend-initScript" ''
+    CREATE DATABASE vault;
+    
+    CREATE USER vault WITH ENCRYPTED PASSWORD '${(builtins.readFile /opt/cloud-init-misc-data/vault_db_password)}';
+    
+    GRANT ALL PRIVILEGES ON DATABASE vault TO vault;
+    \c vault
+    CREATE TABLE vault_kv_store (
+      parent_path TEXT COLLATE "C" NOT NULL,
+      path        TEXT COLLATE "C",
+      key         TEXT COLLATE "C",
+      value       BYTEA,
+      CONSTRAINT pkey PRIMARY KEY (path, key)
+    );
+    CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
+    GRANT ALL PRIVILEGES ON TABLE vault_kv_store TO vault;
+  '';
 
   system.activationScripts = {
     mnt = {

infrastructure/modules/compute/nix/vault.nix

@@ -11,6 +11,8 @@
     ui = true
   ";
 
+  systemd.services.vault.after = [ "postgresql.service" ];
+
   systemd.services.vault-unseal = {
     serviceConfig.Type = "simple";
     wantedBy = [ "multi-user.target" ];