vault: add auto-unseal

2026-02-01 23:39:11 +01:00
parent 3f2f91aedd
commit 24771894c9
3 changed files with 260 additions and 1 deletions
--- a/services/vault/default.nix
+++ b/services/vault/default.nix
@@ -1,4 +1,41 @@
-{ ... }:
+{ pkgs, ... }:
+let
+  unsealScript = pkgs.writeShellApplication {
+    name = "openbao-unseal";
+    runtimeInputs = with pkgs; [ openbao coreutils ];
+    text = ''
+      # Set environment to use Unix socket
+      export BAO_ADDR='unix:///run/openbao/openbao.sock'
+
+      # Wait for OpenBao to be ready
+      echo "Waiting for OpenBao to be ready..."
+      for _ in {1..30}; do
+        if bao status >/dev/null 2>&1; then
+          echo "OpenBao is ready"
+          break
+        fi
+        sleep 1
+      done
+
+      # Check if already unsealed
+      if bao status 2>&1 | grep -q "Sealed.*false"; then
+        echo "OpenBao is already unsealed"
+        exit 0
+      fi
+
+      # Unseal using the TPM-decrypted key
+      if [ -f "$CREDENTIALS_DIRECTORY/unseal-key" ]; then
+        echo "Unsealing OpenBao..."
+        UNSEAL_KEY=$(cat "$CREDENTIALS_DIRECTORY/unseal-key")
+        bao operator unseal "$UNSEAL_KEY"
+        echo "OpenBao unsealed successfully"
+      else
+        echo "WARNING: Unseal key credential not found, OpenBao remains sealed"
+        exit 0  # Don't fail the service, just log the warning
+      fi
+    '';
+  };
+in
 {
  services.openbao = {
    enable = true;
@@ -25,5 +62,11 @@
      "key.pem:/var/lib/openbao/key.pem"
      "cert.pem:/var/lib/openbao/cert.pem"
    ];
+    # TPM2-encrypted unseal key (created manually, see setup instructions)
+    LoadCredentialEncrypted = [
+      "unseal-key:/var/lib/openbao/unseal-key.cred"
+    ];
+    # Auto-unseal on service start
+    ExecStartPost = "${unsealScript}/bin/openbao-unseal";
  };
 }