<bbigras>
gchristensen: yeah I might just use vault.
<gchristensen>
bbigras: but, not so sure about sops. I think the good part of vault is ephemeral credentials
<gchristensen>
I haven't deployed vault in AWS before, just on bare metal
<bbigras>
gchristensen: do you use vault with aws kms?
<bbigras>
Anyone using vault with aws kms to unseal it? When I reboot the vault service fails to start. I think maybe the kms key or whatever if not available right away. If I start the service a couple of minutes later it seems fine.
<sphalerite>
gchristensen: since we've reached the topic: do you have (plans for) a blog post about how you use vault? I'd be very interested in reading about it :)
<Orbstheorem>
The only vault I know it's ansible vault :D
<Orbstheorem>
vault?
<sphalerite>
Orbstheorem: if you want to go really fancy with secrets, you could use something like vault.
<chiiba>
To any Hashicorp Vault gurus here: Can I create a policy to allow reading a specific secret engine path? Or do I have to create new secret engine and seperate secrets between engines to mangage ACLs?
<_habnabit>
srhb, oh, i wouldn't upstream this anyway; it's very cluster-specific. nomad's vault token needs to be written out to somewhere on disk and doesn't change across reboots. i suppose /var/lib makes sense because it (presumably) won't get cleaned out
<sheeldotme>
Makes sense to me cole-h, how do you currently handle secrets do you just have them in another git repo? Thinking about setting up something with vault.
2020-05-27
<{^_^}>
[nixpkgs] @jonringer pushed commit from @r-ryantm to master « bitwarden_rs-vault: 2.13.2b -> 2.14.0 »: https://git.io/Jfri8
<cole-h>
The only times I drop a review and don't test /that/ in-depth are when they require some sort of infrastructure (e.g. if I wanted to test a Hashicorp Vault update -- I don't have a vault setup, so I can't really do much there)
2020-05-22
<cransom>
using dhall to give me a list of packages to install seems like it would be analogous to having something like vault or a secret store telling me which packages to install. it's just not quite the right layer for it
<gchristensen>
just finished up a little module to glue buildkite to vault
2020-04-23
<thoughtpolice>
jakobrs: I use Vault but only for some basic stuff -- SSH certificates have been on my "look at" for a little while tho, haven't made the jump for any automation yet
<deni>
have that I can create the certificates via terraform as well and then all that's needed is to modify the vault service file to fetch those after before starting the vault service. Hmm possibly I'll have to modify the nginx service as well. Anyway something along those lines. The downside of this is that there is no automatic refresh of certs and I would have to do it manually. Although I could
<deni>
gchristensen: thanks! I'll check it out. I made a promise to myself to write as little bas as possible. :D I was thinking on using terraform to to configure Vault once it's up and running. That would mean creating the CA in terraform. Creating an intermediaty CA that get's imported into Vault and that's the one used for generating new certs. (I did this type of thing for work stuff). Anyway once I
<gchristensen>
deni: you could use vault for certs still, and write a little bit of bash to get certs
<deni>
edef: ah I see....I was kind of hoping you were using vault as a certificate provider. Damn! :D I have a private domain (zerotier) that I want to set up auto ssl certs for and I can't use acme becuase the domain verification is DNS based. I can whip something up with bash (puke) but I figured it would be better to use Vault for this. cc gchristensen
<deni>
edef: hey. you once wrote "i have a fairly neat auto-ACME'd vault setup i should really share". I was searching the IRC logs for vault related converstaion I'm not stalking you I swear :D .... I'm curious if you wrote about this? Did you mean that you use vault as a cert provider in an acme fashion or that you're configuring the vault server with acme certificates?
<deni>
bhipple: was mostly researching old conversations about nix+nixops+vault .... the question comes up *a lot*
<deni>
I quite enjoyed it for my non-vault-aware applications
<deni>
evils: energizer thanks! I see gchristensen is playing around with it. I have some experience with vault auto unsealing ... albeit in the cloud setting (AWS and GCP mostly). I'd need to think if any of that is applicable to my current non-cloud setup
<deni>
Somewhat relatedly...I asked on twitter a couple of days ago if anyone is playing around with Hashicorp vault and Nix/Nixops. Sadly I didn't get any response. I'm quite fond of Vault and have used it to great success before. But I'm at a lost how to integrate it with nixops other than with wrappers and what not
2020-03-26
<gchristensen>
gustavderdrache: (kill me) I could have it request its unlock keys over the wireguard tunnel to my laptop's vault , which reuires a yubi-tap to allow :)
<gustavderdrache>
i wonder... what if you did the slurp-and-unseal thing and then rekeyed vault afterwards?
<gchristensen>
gustavderdrache: I want to deploy vault to a single server, using nixops. this is fine but after reboot, this creates a new step I have to run: unlocking vault. this is ... fine ... but nixops has no way to run the command from my machine over to Vault to unseal. I could transfer a key over to /run/keys and have service slurp it up and unseal, but then I'm sending a key over and just plopping it on
<gchristensen>
gustavderdrache: I'm annoyed about some Vault trade-offs
<damesca>
Hi. Looking for help. I'm trying to install a newer version of aws-vault by overriding src/version in the nixpkgs 19.03 version, but getting a ton of build failures (see build config/errors here: https://pastebin.com/Gkh7SVyx ). Can anyone help? This is my first attempt at changing a package, and after reading the manual/googling around I've still
2019-08-07
<damesca>
Hi. Looking for help. I'm trying to install a newer version of aws-vault by overriding src/version in the nixpkgs 19.03 version, but getting a ton of build failures (see build config/errors here: https://pastebin.com/Gkh7SVyx). Can anyone help? This is my first attempt at changing a package, and after reading the manual/googling around I've still n
<psyanticy>
Hi @lnl7 . is there any reason hasicorp vault was packaged without the UI
2019-07-10
<eraserhd>
I don't want to copy boiler plate to download the vault certificate and set VAULT_CACERT into all projects.
<eraserhd>
So I made wrappers for vault that set VAULT_CACERT if it wasn't already set and so forth.
<eraserhd>
Hey, can I solicit an opinion? I'm creating modules for work, and this does things like set $KUBECONFIG and $VAULT_CACERT. At first, I set environment.variables.VAULT_CACERT, but this seemed to have bootstrap issues (or at least I worried about it).
<hyper_ch>
and you just have to make sure that you backup the pool/encryption dataset to secure devices (e.g. 2-3 usb thumb drive that are stored in your bank's vault
2019-05-13
<{^_^}>
[nixpkgs] @FRidh pushed commit from @r-ryantm to master « vault: 1.1.0 -> 1.1.2 »: https://git.io/fjWDs
<ToxicFrog>
I've been using keepass, which has an android version, and using a separate sync app to keep the vault synced between my computer and my phone
2019-02-09
<ottidmes>
mdash: I know its me finding an execuse to keep it (common practice of programmers after spending a lot of effort on a piece of code), but since the older version in the PR (due to Rocket 0.4 added to bitwarden_rs version 1.5 breaks with rustc 1.31) is build using the Web Vault 2.4.0 and that fork only starts at 2.5.0, I am keeping it for versions older than 2.5.0
2019-02-08
<mdash>
ottidmes: hey guess what, i got bitwarden_rs and vault deployed
2019-02-07
<ottidmes>
mdash: I see that you are online again, did you see the bitwarden PR? I managed to package the vault with a different approach
2019-02-06
<ottidmes>
mdash: I managed to package the bitwarden vault, so I will be making a PR soon
2019-02-01
<LnL>
but for proper vault integration you need something that rotates those
<fresheyeball>
dhess: there is vault as a service in options already
<gchristensen>
didn't you do some vault stuff?
<dhess>
maybe I'll ask a different question: anyone around who's using something like Hashicorp Vault to deploy secrets to NixOS machines?
<timclassic>
If I install vault directly on the aarch64 system via nix-env, the correct arch gets installed.
<timclassic>
I'm using nixops to deploy from x86_64 to aarch64 (and I have an aarch64 build host configured), and this generally works. However, when I deploy vault this way, the x86_64 binary gets installed instead of the aarch64 variant. Where should I look to debug this?
<ottidmes>
mdash: if someone is willing to look at how to package the vault properly with Nix, then I can clean it up a bit and make a proper PR for it
2018-12-22
<{^_^}>
[nixpkgs] @timokau pushed commit from @r-ryantm to master « vault: 1.0.0 -> 1.0.1 (#52664) »: https://git.io/fhJqM
<bbarker_home>
in other news, none of the passwords I used to build NixOS VMs are working, not just this one. I saved them in a vault and history doesn't report changes. I think I may be going insane
2018-11-18
<steveeJ>
hyper_ch: we have an OS module for it and I'm wondering how to integrate ACME (which I haven't used before either) with the vault module for certificate generation
<hyper_ch>
what's vault?
<steveeJ>
does anyone have an example config for letsencrypt + vault by chance?
2018-11-06
<elvishjerricco>
Yea vault is a good answer. Maybe I'll move toward stuff like that
<srhb>
elvishjerricco: Yeah. What I did at $oldjob was essentially delegate all this to vault and friends
2018-11-04
<ottidmes>
Could anybody help me with packaging Bitwarden Vault (the web interface)? I got it working outside of Nix, so for my own use case I can workaround it by just reusing my local build, but if I want to make a pull request for Bitwarden, the web interface really should be included
2018-10-26
<arianvp>
nh2: I've asked hashicorp if they can do the same for the vault package. that'd make my life 1000x easier
<arianvp>
I'm gonna open an issue on the vault repo if they can vendor it too for vault
<elvishjerricco>
LnL: Hardening Vault doesn't make it invincible. I'm just saying it's adding a single point of failure where there previously may not have been one. But again, I'm willing to concede that key rotation might make up for it, especially since it's probably easy to make Vault insanely hard to penetrate.
<elvishjerricco>
LnL: True, but the damage is scoped to only what that machine has access to. And Vault doesn't prevent that; if the weakest link is compromised, the attacker has all the same access as without Vault.
<elvishjerricco>
ixxie: If the vault is compromised, then sending a private key does no good, since the attacker can just retain the key
<LnL>
if you restart vault you can't access anything until it's unlocked by an admin
<ixxie>
I don't know for sure, I am just speculating - but if it encrypts something and knows microservice X owns it, it can send the private key to X through a networking service like Consul and then X can open the resource but Vault can't
<elvishjerricco>
LnL: How does Vault have no access if it's the one doing all the issuing?
<LnL>
vault can't read it's own secrets and the code is reviewed by security people every nth release
<elvishjerricco>
Doesn't really sound inherently more secure. If that machine is compromised, the attacker still gets the same level of access. Except now you've got this single Vault that, if compromised, compromises everything
<ixxie>
LnL so how does vault make it better?
<LnL>
ixxie: no, but I think the vault approach is much better then whatever supporting secret files in nix would be
<ixxie>
LnL: have you setup vault with NixOps?
<gchristensen>
lnl likes Vault for secrets, it'd be interesting to explore nixos + nixops + vault
2018-09-14
<LnL>
nix-build -A vault --option allow-import-from-derivation false works fine
<zimbatm>
> Vault UI is not available in this binary
<zimbatm>
isn't the vault UI packaged with vault nowadays?
<LnL>
hey, since you've used both vault and yarn2nix I was wondering if you ever tried to get the new vault ui working
2018-09-12
<{^_^}>
[nixpkgs] @LnL7 pushed commit from @zimbatm to release-18.09 « vault: 0.10.4 -> 0.11.1 »: https://git.io/fAKd8