cluster/services/idm: use cluster secrets

2024-07-08 18:41:51 +02:00 · 2024-07-08 18:41:51 +02:00 · 7b95308f0d
commit 7b95308f0d
parent deaa423c86
8 changed files with 5 additions and 3 deletions
--- a/cluster/secrets/idm-serviceAccountCredentials-VEGAS.age
+++ b/cluster/secrets/idm-serviceAccountCredentials-VEGAS.age
--- a/cluster/secrets/idm-serviceAccountCredentials-checkmate.age
+++ b/cluster/secrets/idm-serviceAccountCredentials-checkmate.age
--- a/cluster/secrets/idm-serviceAccountCredentials-grail.age
+++ b/cluster/secrets/idm-serviceAccountCredentials-grail.age
--- a/cluster/secrets/idm-serviceAccountCredentials-prophet.age
+++ b/cluster/secrets/idm-serviceAccountCredentials-prophet.age
--- a/cluster/secrets/idm-serviceAccountCredentials-soda.age
+++ b/cluster/secrets/idm-serviceAccountCredentials-soda.age
--- a/cluster/secrets/idm-serviceAccountCredentials-thunderskin.age
+++ b/cluster/secrets/idm-serviceAccountCredentials-thunderskin.age
--- a/cluster/services/idm/client.nix
+++ b/cluster/services/idm/client.nix
@ -5,10 +5,8 @@ let
 in

 {
-  age.secrets.idmServiceAccountCredentials.file = ./secrets/service-account-${config.networking.hostName}.age;
-
  systemd.services.kanidm-unixd.serviceConfig = {
-    EnvironmentFile = config.age.secrets.idmServiceAccountCredentials.path;
+    EnvironmentFile = cluster.config.services.idm.secrets.serviceAccountCredentials.path;
  };

  services.kanidm = {
--- a/cluster/services/idm/default.nix
+++ b/cluster/services/idm/default.nix
@ -33,6 +33,10 @@
        ./policies/soda.nix
      ];
    };
+    secrets.serviceAccountCredentials = {
+      nodes = config.services.idm.nodes.client;
+      shared = false;
+    };
  };

  dns.records = let