From 62798739b8b8031ab03714fa94a4d02079805438 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Tue, 3 Feb 2026 06:40:57 +0100 Subject: [PATCH] fixup! pki: add new vault root ca to pki --- services/vault/default.nix | 2 ++ terraform/vault/pki.tf | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/services/vault/default.nix b/services/vault/default.nix index d0b4d6a..3439a67 100644 --- a/services/vault/default.nix +++ b/services/vault/default.nix @@ -195,6 +195,8 @@ in SupplementaryGroups = [ "acme" ]; }; + # ACME certificate management + # Bootstrapped with bootstrap-vault-cert, now managed by ACME security.acme.certs."vault01.home.2rjus.net" = { server = "https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory"; listenHTTP = ":80"; diff --git a/terraform/vault/pki.tf b/terraform/vault/pki.tf index 7583d41..23d47c8 100644 --- a/terraform/vault/pki.tf +++ b/terraform/vault/pki.tf @@ -62,6 +62,13 @@ resource "vault_mount" "pki_int" { description = "Intermediate CA" default_lease_ttl_seconds = 157680000 # 5 years max_lease_ttl_seconds = 157680000 # 5 years + + # Required for ACME support - allow ACME-specific response headers + allowed_response_headers = [ + "Replay-Nonce", + "Link", + "Location" + ] } resource "vault_pki_secret_backend_intermediate_cert_request" "intermediate" { @@ -139,6 +146,33 @@ resource "vault_pki_secret_backend_config_urls" "config_urls" { ] } +# Configure cluster path (required for ACME) +resource "vault_pki_secret_backend_config_cluster" "cluster" { + backend = vault_mount.pki_int.path + path = "${var.vault_address}/v1/${vault_mount.pki_int.path}" + aia_path = "${var.vault_address}/v1/${vault_mount.pki_int.path}" +} + +# Enable ACME support +resource "vault_generic_endpoint" "acme_config" { + depends_on = [ + vault_pki_secret_backend_config_cluster.cluster, + vault_pki_secret_backend_role.homelab + ] + + path = "${vault_mount.pki_int.path}/config/acme" + ignore_absent_fields = true + disable_read = true + disable_delete = true + + data_json = jsonencode({ + enabled = true + allowed_issuers = ["*"] + allowed_roles = ["*"] + default_directory_policy = "sign-verbatim" + }) +} + # ============================================================================ # Direct Certificate Issuance (Non-ACME) # ============================================================================