AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix vault-unseal

Browse Source
This commit is contained in:
Dmitriy Kholkin 2024-01-27 18:02:31 +03:00
parent 4f103c910e
commit 1929e0492b
Signed by: AtaraxiaDev
GPG Key ID: FD266B810DF48DF2
2 changed files with 10 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
profiles/servers/vault.nix
View File

@ -19,20 +19,18 @@ in {
''; '';
}; };
sops.secrets.vault-key1.sopsFile = inputs.self.secretsDir + /home-hypervisor/vault.yaml; sops.secrets.vault-keys-env.sopsFile = inputs.self.secretsDir + /home-hypervisor/vault.yaml;
sops.secrets.vault-key2.sopsFile = inputs.self.secretsDir + /home-hypervisor/vault.yaml;
sops.secrets.vault-key3.sopsFile = inputs.self.secretsDir + /home-hypervisor/vault.yaml;
systemd.services.vault-unseal = { systemd.services.vault-unseal = {
wantedBy = [ "multi-user.target" ];
partOf = [ "vault.service" ]; partOf = [ "vault.service" ];
after = [ "vault.service" ]; after = [ "vault.service" ];
path = [ pkgs.curl ]; path = [ pkgs.curl ];
script = '' script = ''
KEY1=$(head -n1 ${config.sops.secrets.vault-key1.path}) set -aeuo pipefail
KEY2=$(head -n1 ${config.sops.secrets.vault-key2.path}) source ${config.sops.secrets.vault-keys-env.path}
KEY3=$(head -n1 ${config.sops.secrets.vault-key3.path}) curl -H "Content-Type: application/json" --data "{\"key\":\"$VAULT_KEY1\"}" ${api-addr}/v1/sys/unseal >/dev/null 2>&1
curl -H "Content-Type: application/json" --data "{\"key\":\"$KEY1\"}" ${api-addr}/v1/sys/unseal >/dev/null 2>&1 curl -H "Content-Type: application/json" --data "{\"key\":\"$VAULT_KEY2\"}" ${api-addr}/v1/sys/unseal >/dev/null 2>&1
curl -H "Content-Type: application/json" --data "{\"key\":\"$KEY2\"}" ${api-addr}/v1/sys/unseal >/dev/null 2>&1 curl -H "Content-Type: application/json" --data "{\"key\":\"$VAULT_KEY3\"}" ${api-addr}/v1/sys/unseal >/dev/null 2>&1
curl -H "Content-Type: application/json" --data "{\"key\":\"$KEY3\"}" ${api-addr}/v1/sys/unseal >/dev/null 2>&1
''; '';
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
}; };

5
secrets/home-hypervisor/vault.yaml
View File

@ -4,14 +4,15 @@ vault-key2: ENC[AES256_GCM,data:aYXhjVBfDKKXGHxtxhX2N8rgPJcImhdPun9a905abeJ6YwnX
vault-key3: ENC[AES256_GCM,data:iwWfxfjP+A6XQzzEHCel8NoTKMEAysDXeDeTouQ4qvZMzizUkN+Vhtf9DkM=,iv:yGs2h6GzQBzSAdFzGJTMCtHpYltsHtpox8kgrjo4r2s=,tag:m/mJrFhWKclVp20oPlNnOg==,type:str] vault-key3: ENC[AES256_GCM,data:iwWfxfjP+A6XQzzEHCel8NoTKMEAysDXeDeTouQ4qvZMzizUkN+Vhtf9DkM=,iv:yGs2h6GzQBzSAdFzGJTMCtHpYltsHtpox8kgrjo4r2s=,tag:m/mJrFhWKclVp20oPlNnOg==,type:str]
vault-key4: ENC[AES256_GCM,data:ONdi4oTOaxzcjcgJFhF05CHKMF4U1vBfYbdinB8yjc+7DDpllj/qKVhl9+c=,iv:xHG3kgLzsQvfWsU/Wk+G+ktm/6HamyLcBztPlCHVH7o=,tag:hx9giqs2/VYFNXZLEGjMnA==,type:str] vault-key4: ENC[AES256_GCM,data:ONdi4oTOaxzcjcgJFhF05CHKMF4U1vBfYbdinB8yjc+7DDpllj/qKVhl9+c=,iv:xHG3kgLzsQvfWsU/Wk+G+ktm/6HamyLcBztPlCHVH7o=,tag:hx9giqs2/VYFNXZLEGjMnA==,type:str]
vault-key5: ENC[AES256_GCM,data:sKABkAuvMhfsWSJNMvA5A0Up3z9vTf+uu9Aa4U+wftNYwWU9cHAr5N5WQLE=,iv:jQXhCLNrKhy369YSp9SaCOULB077tGLxBBJZ4917+nA=,tag:VW68/IwNZzE5+WmLVdXoPw==,type:str] vault-key5: ENC[AES256_GCM,data:sKABkAuvMhfsWSJNMvA5A0Up3z9vTf+uu9Aa4U+wftNYwWU9cHAr5N5WQLE=,iv:jQXhCLNrKhy369YSp9SaCOULB077tGLxBBJZ4917+nA=,tag:VW68/IwNZzE5+WmLVdXoPw==,type:str]
vault-keys-env: ENC[AES256_GCM,data:EtIRzlCGjULEjxMU1W3ca8vrM+6Z4PNGspg1qCOCUgTVELPFHnqPfBpIC1zClSuqCErwtZiBBI7OCpYF4wdEMeaAOPNMSqOvF56H/MEEYbZHEaA7D9uBGqWDEm7HHhr86dwPPjEisuOj44ju3VgGa//SjyOz6WfHwV89DojDkxSnY+egiJzrZhWbj+VIQsoZ8lLCTFjhFJVXdc9grgznoC0mUAAgNvWSdr1P/NT5Q8QMYfGieCSSIeAq+/p1WXzd2YVGNUMD9Ym+Obj21r6Ag1UWaIx9LZvVlZ+BDuz50fFsGsnCFqUzK9sK+tjhlG4rHUdQMGCuGkgqCJPovxmioiqgninbza7L8wjbbbkIjx628K7YxGfM,iv:URbdJQfbNvNH7Awt703lcJoFJcMs4JyGwuL8f1w8tT0=,tag:PWlFaPNPWwF47+66KcTUhQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2024-01-25T12:12:55Z" lastmodified: "2024-01-27T13:13:42Z"
mac: ENC[AES256_GCM,data:TcXRBSKkI4BfXPEdRsxD/4bMT5ZF4miDclcXfhbqeikrmcbv3Lc8Zi/HVXro2hFIa91AvHoTb66KaIeVLLPsKOLmrOSRlyNNZafAKy9/STYftFQIsSUuT9LJDRvcuOyNAj2Knz0zCwPoD21tQro3n5CEvFreivNtXwYtX0wgLMo=,iv:/V3Dm3wAKB3GeqK/1hJJQ+L7d0FCoocY1Dgvz+y0mWY=,tag:YUZXSpewamAwiLViBI6lug==,type:str] mac: ENC[AES256_GCM,data:fjxLdFVIO2AEe2zr6Eu/b7DW0+8RT9MsF7sa1Fh3dBfSzA4JyKB7vtk0KWsPks8lAAfZXDV8A9ICPcQtPzjyASx6Ck8AgaBFZL2kzG9LVpwIzvM5TMKs182qCcMQ1v8SSpmG7+mnyacJk71XL1l0Y8eK2ddI+neCjD8skML/eZM=,iv:QDPmNbNooFMFhvLc5XTKLnspHCOKDIKRaPvEx2hMjAU=,tag:GmLSi036UDVI12qi5MEFww==,type:str]
pgp: pgp:
- created_at: "2024-01-25T12:11:53Z" - created_at: "2024-01-25T12:11:53Z"
enc: |- enc: |-