|
|
|
@ -45,7 +45,7 @@ let
|
|
|
|
getSecretTemplate = serviceName: vaultConfig:
|
|
|
|
getSecretTemplate = serviceName: vaultConfig:
|
|
|
|
{
|
|
|
|
{
|
|
|
|
contents = vaultConfig.template;
|
|
|
|
contents = vaultConfig.template;
|
|
|
|
destination = "/run/systemd-vaultd/secrets/${serviceName}.service.json";
|
|
|
|
destination = "/run/systemd-openbaod/secrets/${serviceName}.service.json";
|
|
|
|
perms = "0400";
|
|
|
|
perms = "0400";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// templateExec serviceName vaultConfig;
|
|
|
|
// templateExec serviceName vaultConfig;
|
|
|
|
@ -53,7 +53,7 @@ let
|
|
|
|
getEnvironmentTemplate = serviceName: vaultConfig:
|
|
|
|
getEnvironmentTemplate = serviceName: vaultConfig:
|
|
|
|
{
|
|
|
|
{
|
|
|
|
contents = vaultConfig.environmentTemplate;
|
|
|
|
contents = vaultConfig.environmentTemplate;
|
|
|
|
destination = "/run/systemd-vaultd/secrets/${serviceName}.service.EnvironmentFile";
|
|
|
|
destination = "/run/systemd-openbaod/secrets/${serviceName}.service.EnvironmentFile";
|
|
|
|
perms = "0400";
|
|
|
|
perms = "0400";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// templateExec serviceName vaultConfig;
|
|
|
|
// templateExec serviceName vaultConfig;
|
|
|
|
@ -141,8 +141,8 @@ in
|
|
|
|
bindsTo = mkIfHasEnv [ "${serviceName}-envfile.service" ];
|
|
|
|
bindsTo = mkIfHasEnv [ "${serviceName}-envfile.service" ];
|
|
|
|
|
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
serviceConfig = {
|
|
|
|
LoadCredential = mkIfHasSecret (lib.mapAttrsToList (_: config: "${config.name}:/run/systemd-vaultd/sock") config.vault.secrets);
|
|
|
|
LoadCredential = mkIfHasSecret (lib.mapAttrsToList (_: config: "${config.name}:/run/systemd-openbaod/sock") config.vault.secrets);
|
|
|
|
EnvironmentFile = mkIfHasEnv [ "/run/systemd-vaultd/secrets/${serviceName}.service.EnvironmentFile" ];
|
|
|
|
EnvironmentFile = mkIfHasEnv [ "/run/systemd-openbaod/secrets/${serviceName}.service.EnvironmentFile" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}));
|
|
|
|
}));
|
|
|
|
@ -173,14 +173,14 @@ in
|
|
|
|
Before=${service}.service
|
|
|
|
Before=${service}.service
|
|
|
|
BindsTo=${service}.service
|
|
|
|
BindsTo=${service}.service
|
|
|
|
StopPropagatedFrom=${service}.service
|
|
|
|
StopPropagatedFrom=${service}.service
|
|
|
|
After=systemd-vaultd.socket
|
|
|
|
After=systemd-openbaod.socket
|
|
|
|
Requires=systemd-vaultd.socket
|
|
|
|
Requires=systemd-openbaod.socket
|
|
|
|
|
|
|
|
|
|
|
|
[Service]
|
|
|
|
[Service]
|
|
|
|
Type=oneshot
|
|
|
|
Type=oneshot
|
|
|
|
ExecStart=${pkgs.coreutils}/bin/true
|
|
|
|
ExecStart=${pkgs.coreutils}/bin/true
|
|
|
|
RemainAfterExit=true
|
|
|
|
RemainAfterExit=true
|
|
|
|
LoadCredential=${service}.service.EnvironmentFile:/run/systemd-vaultd/sock
|
|
|
|
LoadCredential=${service}.service.EnvironmentFile:/run/systemd-openbaod/sock
|
|
|
|
|
|
|
|
|
|
|
|
[Install]
|
|
|
|
[Install]
|
|
|
|
WantedBy=${service}.service
|
|
|
|
WantedBy=${service}.service
|
Raito Bezarius
1 month ago