the-distro/infra
9
0
Fork 5
Code Issues 39 Pull requests 6 Projects 1 Releases Packages Wiki Activity

feat(services/secrets-agent): init

Browse source 
This initialize a secret agent using systemd-openbao available for any
system.

For now, it only supports the token authentication method.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This commit is contained in:
raito 2025-01-01 02:44:40 +01:00
parent 5afd73c22f
commit 9072613928
2 changed files with 52 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
services/default.nix
View file

@ -3,6 +3,7 @@
./block-crawlers
./gerrit
./channel-scripts
./secrets-agent
./hydra
./matrix
./monitoring

51
services/secrets-agent/default.nix Normal file
View file

@ -0,0 +1,51 @@
{ config, lib, ... }:
let
cfg = config.bagel.services.secrets-agent;
inherit (lib) mkEnableOption mkIf mkOption mkMerge types;
in
{
options.bagel.services.secrets-agent = {
enable = mkEnableOption "enable the secret agent on this system";
methods.token = {
enable = mkEnableOption "the token method to authenticate";
tenancy = mkOption {
type = types.enum [ "floral" "lix" ];
default = "floral";
};
identifier = mkOption {
type = types.str;
};
};
vaultAddress = mkOption {
type = types.str;
default = "https://vault.forkos.org";
};
};
config = mkMerge [
(mkIf (cfg.enable && cfg.methods.token.enable) {
age.secrets."openbao-auth-token-${cfg.methods.token.identifier}".file = ../../secrets/${cfg.methods.token.tenancy}/openbao-auth-token-${cfg.methods.token.identifier}.age;
systemd.services.openbao-agent-default.serviceConfig.LoadCredential = [ "auth-token:${config.age.secrets."openbao-auth-token-${cfg.methods.token.identifier}".path}" ];
services.openbao.agents.default.settings = {
auto_auth = {
method = [
{
type = "token_file";
config.token_file_path = "/run/credentials/openbao-agent-default.service/auth-token";
}
];
};
};
})
(mkIf cfg.enable {
systemd.services.openbao-agent-default = {
serviceConfig.Environment = [
"VAULT_ADDR=${cfg.vaultAddress}"
];
};
services.openbao.agents.default.settings.vault.address = cfg.vaultAddress;
})
];
}