secrets: migrate all hosts from sops to OpenBao vault

Replace sops-nix secrets with OpenBao vault secrets across all hosts. Hardcode root password hash, add extractKey option to vault-secrets module, update Terraform with secrets/policies for all hosts, and create AppRole provisioning playbook. Hosts migrated: ha1, monitoring01, ns1, ns2, http-proxy, nix-cache01 Wave 1 hosts (nats1, jelly01, pgdb1) get AppRole policies only. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 18:43:09 +01:00
parent 4d33018285
commit 0700033c0a
20 changed files with 393 additions and 44 deletions
--- a/system/root-user.nix
+++ b/system/root-user.nix
@@ -1,11 +1,10 @@
-{ pkgs, config, ... }: {
+{ pkgs, config, ... }:
+{
  programs.zsh.enable = true;
-  sops.secrets.root_password_hash = { };
-  sops.secrets.root_password_hash.neededForUsers = true;

  users.users.root = {
    shell = pkgs.zsh;
-    hashedPasswordFile = config.sops.secrets.root_password_hash.path;
+    hashedPassword = "$y$j9T$N09APWqKc4//z9BoGyzSb0$3dMUzojSmo3/10nbIfShd6/IpaYoKdI21bfbWER3jl8";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwfb2jpKrBnCw28aevnH8HbE5YbcMXpdaVv2KmueDu6 torjus@gunter"
    ];