From 35dc7e58ed21e919dcbd5a09dc689b59b08eb66f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jean-Fran=C3=A7ois=20Roche?= Date: Fri, 16 Jun 2023 21:06:08 +0200 Subject: [PATCH] fix: vault agent with environment secrets only Sometimes we only need to inject secrets as environment variables --- nix/modules/vault-secrets.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/nix/modules/vault-secrets.nix b/nix/modules/vault-secrets.nix index 6748582..80ace13 100644 --- a/nix/modules/vault-secrets.nix +++ b/nix/modules/vault-secrets.nix @@ -64,7 +64,7 @@ let (lib.mapAttrsToList (serviceName: _service: getSecretTemplate serviceName services.${serviceName}.vault) - (lib.filterAttrs (_n: v: v.vault.secrets != { } && v.vault.agent == config._module.args.name) services)) + (lib.filterAttrs (_n: v: v.vault.template != null && v.vault.agent == config._module.args.name) services)) ++ (lib.mapAttrsToList (serviceName: _service: getEnvironmentTemplate serviceName services.${serviceName}.vault) @@ -92,7 +92,8 @@ in }; template = lib.mkOption { - type = lib.types.lines; + type = lib.types.nullOr lib.types.lines; + default = null; description = '' The vault agent template to use for secrets ''; @@ -135,13 +136,14 @@ in config = let mkIfHasEnv = lib.mkIf (config.vault.environmentTemplate != null); + mkIfHasSecret = lib.mkIf (config.vault.template != null); in { after = mkIfHasEnv [ "${serviceName}-envfile.service" ]; bindsTo = mkIfHasEnv [ "${serviceName}-envfile.service" ]; serviceConfig = { - LoadCredential = lib.mapAttrsToList (_: config: "${config.name}:/run/systemd-vaultd/sock") config.vault.secrets; + LoadCredential = mkIfHasSecret (lib.mapAttrsToList (_: config: "${config.name}:/run/systemd-vaultd/sock") config.vault.secrets); EnvironmentFile = mkIfHasEnv [ "/run/systemd-vaultd/secrets/${serviceName}.service.EnvironmentFile" ]; }; };