server.hcl 670 Bytes
Newer Older
lukegb's avatar
lukegb committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 # Allow everyone to manage things under kv/server/<user>
path "kv/data/server/{{identity.entity.name}}/*" {
  capabilities = ["create", "update", "read", "delete"]
}

path "kv/metadata/server/{{identity.entity.name}}/*" {
  capabilities = ["list"]
}
path "kv/metadata/server" {
  capabilities = ["list"]
}

path "kv/metadata/+" {
  capabilities = ["list"]
}

path "acme/certs/*" {
  capabilities = ["create"]
}

# Servers can always get nix-daemon data
path "kv/data/apps/nix-daemon" {
  capabilities = ["read"]
}
path "kv/metadata/apps/nix-daemon" {
  capabilities = ["read"]
}
lukegb's avatar
lukegb committed
28
29
30
31
32

# Servers can issue sub-tokens.
path "auth/token/create" {
  capabilities = ["update"]
}