nixfiles/hosts/vault/secrets.nix

35 lines
1.3 KiB
Nix
Raw Normal View History

2022-11-02 10:24:47 +00:00
{ pkgs, ... }:
let secrets-db = (import ./secrets-db.nix { });
in {
2022-11-02 11:32:03 +00:00
systemd.tmpfiles.rules = [ "d /secrets - root root" ];
2022-11-02 10:24:47 +00:00
environment.systemPackages = [
(pkgs.writeShellScriptBin "init-secrets" ''
2022-11-02 11:32:03 +00:00
set -e -o pipefail
2022-11-02 10:24:47 +00:00
2022-11-02 11:32:03 +00:00
VAULT_ADDR_DEFAULT="https://vault.owo.monster"
2022-11-02 10:24:47 +00:00
[ -n "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT"
export PATH=$PATH:${pkgs.vault}/bin
export PATH=$PATH:${pkgs.jq}/bin
kv_get() {
vault kv get -format json $1
}
simple_get() {
kv_get $1 | jq .data.data$2 -r
}
simple_get "/private-public-keys/restic/Vault" .password > /secrets/restic_password
chown ${secrets-db.restic_password.user}:${secrets-db.restic_password.group} /secrets/restic_password
chmod ${secrets-db.restic_password.permissions} /secrets/restic_password
RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Vault" .username)
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .password)
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > /secrets/restic_env
chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} /secrets/restic_env
chmod ${secrets-db.restic_env.permissions} /secrets/restic_env
'')
];
}