marco
/
zivildienst
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
zivildienst/infrastructure/modules/compute/nix/vault.nix

27 lines
1.1 KiB
Nix
Raw Blame History

{ pkgs, ... }:
{
services.vault.enable = true;
services.vault.package = pkgs.vault-bin;
services.vault.address = "10.0.1.51:8200";
services.vault.storageBackend = "postgresql";
services.vault.storageConfig = "
connection_url = \"postgres://vault:" + (builtins.readFile /opt/cloud-init-misc-data/vault_db_password) + "@localhost:5432/vault?sslmode=disable\"
";
services.vault.extraConfig = "
ui = true
";
systemd.services.vault.after = [ "postgresql.service" ];
systemd.services.vault-unseal = {
serviceConfig.Type = "simple";
wantedBy = [ "multi-user.target" ];
after = [ "vault.service" ];
script = ''
file=/mnt/data/vault-master-key; test -f "$file" || { printf "Stopping automatic unseal, no key present at $file\n"; exit; }; count=0; while [ "$count" -le 10 ]; do count=`expr "$count" + 1`; printf "=> Trying to unseal Vault..\n"; /run/current-system/sw/bin/curl -XPUT http://127.0.0.1:8200/v1/sys/unseal -d '{"key": "'$(head -n 1 $file)'"}' && break; sleep 10; done
'';
};
networking.firewall.allowedTCPPorts = [8200];
}
Reference in New Issue View Git Blame Copy Permalink