From 79164cd5b8acc77cafa3706a473f02e004acf3b4 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Fri, 17 Oct 2025 17:09:35 +1100
Subject: [PATCH] feat: use vault certificates for incus

- replace default incus certificates with vault-generated ephemeral certificates
- configure incus service to restart on certificate changes
---
 modules/incus/manifests/init.pp | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/modules/incus/manifests/init.pp b/modules/incus/manifests/init.pp
index 4bb862a..5bbac37 100644
--- a/modules/incus/manifests/init.pp
+++ b/modules/incus/manifests/init.pp
@@ -21,6 +21,10 @@ class incus (
     enable     => true,
     hasstatus  => true,
     hasrestart => true,
+    subscribe  => [
+      File['/var/lib/incus/server.crt'],
+      File['/var/lib/incus/server.key'],
+    ],
   }
 
   file_line { 'subuid_root':
@@ -55,6 +59,22 @@ class incus (
     }
   }
 
+  file { '/var/lib/incus/server.crt':
+    ensure => file,
+    source => '/etc/pki/tls/vault/certificate.crt',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
+  }
+
+  file { '/var/lib/incus/server.key':
+    ensure => file,
+    source => '/etc/pki/tls/vault/private.key',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0600',
+  }
+
   if $facts['incus'] and $facts['incus']['config'] {
     # set core.https_address
     if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" {