27 lines
1.1 KiB
Nix
27 lines
1.1 KiB
Nix
{ pkgs, ... }:
|
|
{
|
|
services.vault.enable = true;
|
|
services.vault.package = pkgs.vault-bin;
|
|
services.vault.address = "10.0.1.51:8200";
|
|
services.vault.storageBackend = "postgresql";
|
|
services.vault.storageConfig = "
|
|
connection_url = \"postgres://vault:" + (builtins.readFile /opt/cloud-init-misc-data/vault_db_password) + "@localhost:5432/vault?sslmode=disable\"
|
|
";
|
|
services.vault.extraConfig = "
|
|
ui = true
|
|
";
|
|
|
|
systemd.services.vault.after = [ "postgresql.service" ];
|
|
|
|
systemd.services.vault-unseal = {
|
|
serviceConfig.Type = "simple";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "vault.service" ];
|
|
script = ''
|
|
file=/mnt/data/vault-master-key; test -f "$file" || { printf "Stopping automatic unseal, no key present at $file\n"; exit; }; count=0; while [ "$count" -le 10 ]; do count=`expr "$count" + 1`; printf "=> Trying to unseal Vault..\n"; /run/current-system/sw/bin/curl -XPUT http://127.0.0.1:8200/v1/sys/unseal -d '{"key": "'$(head -n 1 $file)'"}' && break; sleep 10; done
|
|
'';
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [8200];
|
|
}
|