feat: use vault certificates for incus (#405)

- replace default incus certificates with vault-generated ephemeral certificates - configure incus service to restart on certificate changes Reviewed-on: #405
2025-10-17 17:22:09 +11:00 · 2025-10-17 17:22:09 +11:00 · fac90c66db
commit fac90c66db
parent efbbb6bcb1
1 changed files with 20 additions and 0 deletions
--- a/modules/incus/manifests/init.pp
+++ b/modules/incus/manifests/init.pp
@ -21,6 +21,10 @@ class incus (
    enable     => true,
    hasstatus  => true,
    hasrestart => true,
+    subscribe  => [
+      File['/var/lib/incus/server.crt'],
+      File['/var/lib/incus/server.key'],
+    ],
  }

  file_line { 'subuid_root':
@ -55,6 +59,22 @@ class incus (
    }
  }

+  file { '/var/lib/incus/server.crt':
+    ensure => file,
+    source => '/etc/pki/tls/vault/certificate.crt',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
+  }
+
+  file { '/var/lib/incus/server.key':
+    ensure => file,
+    source => '/etc/pki/tls/vault/private.key',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0600',
+  }
+
  if $facts['incus'] and $facts['incus']['config'] {
    # set core.https_address
    if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" {