Fixup the mgmt nomad token generation

input-output-hk · Sep 24, 2021 · 1932f62 · 1932f62
1 parent ce0990f
commit 1932f62
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 4 deletions.
diff --git a/modules/nomad-policies.nix b/modules/nomad-policies.nix
@@ -3,7 +3,7 @@ let
   inherit (builtins) mapAttrs typeOf listToAttrs length attrNames;
   inherit (lib)
     flip mkOption mkIf mkEnableOption mapAttrsToList remove concatStringsSep;
-  inherit (lib.types) str enum submodule nullOr attrsOf listOf;
+  inherit (lib.types) addCheck str enum submodule nullOr attrsOf listOf;
   inherit (pkgs) toPrettyJSON ensureDependencies;
 
   sanitize = set:
@@ -40,7 +40,9 @@ let
   nomadPoliciesType = submodule ({ name, ... }: {
     options = {
       name = mkOption {
-        type = str;
+        # Disallow "management" to avoid collision with a
+        # default Vault nomad/creds/management role
+        type = addCheck str (x: x != "management");
         default = name;
       };
 

diff --git a/modules/vault-policies.nix b/modules/vault-policies.nix
@@ -115,11 +115,12 @@ in {
         fi
       done
 
-      # Nomad Policies
+      # Nomad Policies and Default Management Role
 
       ${concatStringsSep "\n" createNomadRoles}
+      vault write "nomad/role/management" "policies=" "type=management"
 
-      keepNames=(${toString (attrNames config.services.nomad.policies)})
+      keepNames=(${toString (attrNames config.services.nomad.policies ++ [ "management" ])})
       nomadRoles=($(nomad acl policy list -json | jq -r -e '.[].Name'))
 
       for role in "''${nomadRoles[@]}"; do

diff --git a/modules/vault-snapshots.nix b/modules/vault-snapshots.nix
@@ -171,8 +171,10 @@ let
         }
 
         exportToken () {
+          set +x
           VAULT_TOKEN="$(< /run/keys/vault-token)"
           export VAULT_TOKEN
+          set -x
         }
 
         isNotLeader () {