| 27 May 2022 |
 @grahamc:nixos.org | this is how we generally integrate vault with our services: https://github.com/DeterminateSystems/nixos-vault-service | 13:30:04 |
 @mic92:nixos.dev | Ah, I thought aws kms unseal is only available in the enterprise edition | 13:30:35 |
| @grahamc:nixos.org | nope | 13:30:40 |
| @mic92:nixos.dev | Which is why I did not use it | 13:30:43 |
| @grahamc:nixos.org | kms unseal + dynamodb as the backend | 13:31:03 |
| @grahamc:nixos.org | makes it relatively easy to deploy using AMIs and not permit SSH access to the vault hosts | 13:31:25 |
| @grahamc:nixos.org | (which is considered best practice for vault servers) | 13:31:58 |
| @mic92:nixos.dev | So to update your fault server, you have to upload a new AMI? | 13:33:50 |
| @mic92:nixos.dev | *vault | 13:33:54 |
| @grahamc:nixos.org | that is the recommended best-practice for managing Vault servers, yeah | 13:34:05 |
| @grahamc:nixos.org | https://learn.hashicorp.com/tutorials/vault/production-hardening | 13:34:41 |
| @grahamc:nixos.org | "Disable ssh" and "immutable upgrades" | 13:35:39 |
| @mic92:nixos.dev | I see. Also one can run multiple vault servers on the same dynamo backend, right? https://www.vaultproject.io/docs/configuration/storage/dynamodb | 13:36:46 |
| @grahamc:nixos.org | as long as you setup clustering | 13:36:56 |
| @grahamc:nixos.org | I'd recommend spending a few days to a week playing with vault, setting up a lab, doing clustering, failovers, seal / unseal / etc. | 13:37:21 |
| @mic92:nixos.dev | I probably won't for now. I would be interested if I later on can migrate to such a setup, if required. | 13:38:04 |
| @grahamc:nixos.org | if you're not going to run multiple vault servers then I would probably recommend either using HCP Vault, or recommend against using vault | 13:38:40 |
| @grahamc:nixos.org | it tends to quickly become an incredibly important cornerstone to infrastructure and it can be somewhat catastrophic if it goes down | 13:39:08 |
| @mic92:nixos.dev | Ok. So I thought that short downtimes can be handled because vault agent is also caching stuff? | 13:40:10 |
| @grahamc:nixos.org | the vault agent caches some stuff but not everything | 13:40:29 |
| @grahamc:nixos.org | and also short down times are not so problematic :) | 13:40:38 |
| @grahamc:nixos.org | and running 3 machines is relatively cheap | 13:40:49 |
| @grahamc:nixos.org | well, caveat | 13:41:04 |
| @grahamc:nixos.org | if this is for personal use, go to town -- I have a single-node vault machine in my basement :P | 13:41:14 |
| @mic92:nixos.dev | It's a bit more serious in my case I think | 13:41:42 |
| @grahamc:nixos.org | but for work stuff, we take the precautions | 13:41:43 |
| @grahamc:nixos.org | what's it for? | 13:42:06 |
| @mic92:nixos.dev | For a customer | 13:42:31 |
| @grahamc:nixos.org | unless you're running your own Vault plugins, I would recommend using HCP Vault | 13:42:50 |
| @mic92:nixos.dev | I might actually want this in future :) | 13:43:33 |
