torjus/nixos-servers
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
f5904738b0811115f9897a1b2bf0cceb52ed16df
nixos-servers/scripts/vault-fetch/README.md
Torjus Håkestad f5904738b0
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
Details
Run nix flake check / flake-check (pull_request) Successful in 2m30s
Details
vault: implement bootstrap integration
2026-02-03 01:09:43 +01:00

2.7 KiB
Raw Blame History

vault-fetch

A helper script for fetching secrets from OpenBao/Vault and writing them to the filesystem.

Features

  • AppRole Authentication: Uses role_id and secret_id from /var/lib/vault/approle/
  • Individual Secret Files: Writes each secret key as a separate file for easy consumption
  • Caching: Maintains a cache of secrets for fallback when Vault is unreachable
  • Graceful Degradation: Falls back to cached secrets if Vault authentication fails
  • Secure Permissions: Sets 600 permissions on all secret files

Usage

vault-fetch <secret-path> <output-directory> [cache-directory]

Examples

# Fetch Grafana admin secrets
vault-fetch hosts/monitoring01/grafana-admin /run/secrets/grafana /var/lib/vault/cache/grafana

# Use default cache location
vault-fetch hosts/monitoring01/grafana-admin /run/secrets/grafana

How It Works

  1. Read Credentials: Loads role_id and secret_id from /var/lib/vault/approle/
  2. Authenticate: Calls POST /v1/auth/approle/login to get a Vault token
  3. Fetch Secret: Retrieves secret from GET /v1/secret/data/{path}
  4. Extract Keys: Parses JSON response and extracts individual secret keys
  5. Write Files: Creates one file per secret key in output directory
  6. Update Cache: Copies secrets to cache directory for fallback
  7. Set Permissions: Ensures all files have 600 permissions (owner read/write only)

Error Handling

If Vault is unreachable or authentication fails:

  • Script logs a warning to stderr
  • Falls back to cached secrets from previous successful fetch
  • Exits with error code 1 if no cache is available

Environment Variables

  • VAULT_ADDR: Vault server address (default: https://vault01.home.2rjus.net:8200)
  • VAULT_SKIP_VERIFY: Skip TLS verification (default: 1)

Integration with NixOS

This tool is designed to be called from systemd service ExecStartPre hooks via the vault.secrets NixOS module:

vault.secrets.grafana-admin = {
  secretPath = "hosts/monitoring01/grafana-admin";
};

# Service automatically gets secrets fetched before start
systemd.services.grafana.serviceConfig = {
  EnvironmentFile = "/run/secrets/grafana-admin/password";
};

Requirements

  • curl: For Vault API calls
  • jq: For JSON parsing
  • coreutils: For file operations

Security Considerations

  • AppRole credentials stored at /var/lib/vault/approle/ should be root-owned with 600 permissions
  • Tokens are ephemeral and not stored - fresh authentication on each fetch
  • Secrets written to tmpfs (/run/secrets/) are lost on reboot
  • Cache directory persists across reboots for service availability
  • All secret files have restrictive permissions (600)
Reference in New Issue View Git Blame Copy Permalink