bitwarden and fleet

maskiner/core/configuration.nix

@@ -56,6 +56,11 @@ in
   sops.secrets.build-service = { };
   sops.secrets.fredrik-wastring = { };
   sops.secrets.fw-qemu = { };
+  sops.secrets.fleet-enroll-secret = {
+    owner = "root";
+    group = "root";
+    mode = "0400";
+  };
   sops.secrets.github_token = {
     owner = "fw";
     group = "users";
@@ -69,6 +74,39 @@ in
 
   environment.systemPackages = [ pkgs.cifs-utils ];
 
+  systemd.services.fleet-osquery = {
+    description = "osquery enrolled to Fleet";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+
+    serviceConfig = {
+      Restart = "always";
+      RestartSec = "5s";
+      StateDirectory = "osquery";
+      RuntimeDirectory = "osquery";
+
+      ExecStart = ''
+        ${pkgs.osquery}/bin/osqueryd \
+          --host_identifier=uuid \
+          --pidfile=/run/osquery/osqueryd.pid \
+          --extensions_socket=/run/osquery/osquery.em \
+          --database_path=/var/lib/osquery/osquery.db \
+          --enroll_tls_endpoint=/api/osquery/enroll \
+          --config_plugin=tls \
+          --config_tls_endpoint=/api/osquery/config \
+          --logger_plugin=tls \
+          --logger_tls_endpoint=/api/osquery/log \
+          --distributed_plugin=tls \
+          --distributed_tls_read_endpoint=/api/osquery/distributed/read \
+          --distributed_tls_write_endpoint=/api/osquery/distributed/write \
+          --tls_hostname=fleet.internalifacts.se:443 \
+          --enroll_secret_path=${config.sops.secrets.fleet-enroll-secret.path} \
+          --tls_server_certs=/etc/ssl/certs/ca-certificates.crt
+      '';
+    };
+  };
+
   fileSystems."/mnt/testweb/C" = {
     device = "//192.168.0.226/C$";
     fsType = "cifs";