unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: use vault certificates for incus
All checks were successful
Build / precommit (pull_request) Successful in 5m22s
Details

Browse Source 
- replace default incus certificates with vault-generated ephemeral certificates
- configure incus service to restart on certificate changes
This commit is contained in:
Ben Vincent 2025-10-17 17:09:35 +11:00
parent efbbb6bcb1
commit 79164cd5b8
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
modules/incus/manifests/init.pp
View File

@ -21,6 +21,10 @@ class incus (
enable => true, enable => true,
hasstatus => true, hasstatus => true,
hasrestart => true, hasrestart => true,
subscribe => [
File['/var/lib/incus/server.crt'],
File['/var/lib/incus/server.key'],
],
} }
file_line { 'subuid_root': file_line { 'subuid_root':
@ -55,6 +59,22 @@ class incus (
} }
} }
file { '/var/lib/incus/server.crt':
ensure => file,
source => '/etc/pki/tls/vault/certificate.crt',
owner => 'root',
group => 'root',
mode => '0644',
}
file { '/var/lib/incus/server.key':
ensure => file,
source => '/etc/pki/tls/vault/private.key',
owner => 'root',
group => 'root',
mode => '0600',
}
if $facts['incus'] and $facts['incus']['config'] { if $facts['incus'] and $facts['incus']['config'] {
# set core.https_address # set core.https_address
if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" { if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" {