torjus/nixos-servers
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

pki: add new vault root ca to pki

Browse Source
This commit is contained in:
Torjus Håkestad
2026-02-03 04:56:22 +01:00
parent f0525b5c74
commit 7ae474fd3e
8 changed files with 157 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
services/vault/default.nix
View File

@@ -77,8 +77,89 @@ let
fi
'';
};
bootstrapCertScript = pkgs.writeShellApplication {
name = "bootstrap-vault-cert";
runtimeInputs = with pkgs; [
openbao
jq
openssl
coreutils
];
text = ''
# Bootstrap vault01 with a proper certificate from its own PKI
# This solves the chicken-and-egg problem where ACME clients can't trust
# vault01's self-signed certificate.
echo "=== Bootstrapping vault01 certificate ==="
# Use Unix socket to avoid TLS issues
export BAO_ADDR='unix:///run/openbao/openbao.sock'
# ACME certificate directory
CERT_DIR="/var/lib/acme/vault01.home.2rjus.net"
# Issue certificate for vault01 with vault as SAN
echo "Issuing certificate for vault01.home.2rjus.net (with SAN: vault.home.2rjus.net)..."
OUTPUT=$(bao write -format=json pki_int/issue/homelab \
common_name="vault01.home.2rjus.net" \
alt_names="vault.home.2rjus.net" \
ttl="720h")
# Create ACME directory structure
echo "Creating ACME certificate directory..."
mkdir -p "$CERT_DIR"
# Extract certificate components to temp files
echo "$OUTPUT" | jq -r '.data.certificate' > /tmp/vault01-cert.pem
echo "$OUTPUT" | jq -r '.data.private_key' > /tmp/vault01-key.pem
echo "$OUTPUT" | jq -r '.data.issuing_ca' > /tmp/vault01-ca.pem
# Create fullchain (cert + CA)
cat /tmp/vault01-cert.pem /tmp/vault01-ca.pem > /tmp/vault01-fullchain.pem
# Backup old certificates if they exist
if [ -f "$CERT_DIR/fullchain.pem" ]; then
echo "Backing up old certificate..."
cp "$CERT_DIR/fullchain.pem" "$CERT_DIR/fullchain.pem.backup"
cp "$CERT_DIR/key.pem" "$CERT_DIR/key.pem.backup"
fi
# Install new certificates
echo "Installing new certificate..."
mv /tmp/vault01-fullchain.pem "$CERT_DIR/fullchain.pem"
mv /tmp/vault01-cert.pem "$CERT_DIR/cert.pem"
mv /tmp/vault01-ca.pem "$CERT_DIR/chain.pem"
mv /tmp/vault01-key.pem "$CERT_DIR/key.pem"
# Set proper ownership and permissions (ACME-style)
chown -R acme:acme "$CERT_DIR"
chmod 750 "$CERT_DIR"
chmod 640 "$CERT_DIR"/*.pem
echo "Certificate installed successfully!"
echo ""
echo "Certificate details:"
openssl x509 -in "$CERT_DIR/cert.pem" -noout -subject -issuer -dates
echo ""
echo "Subject Alternative Names:"
openssl x509 -in "$CERT_DIR/cert.pem" -noout -ext subjectAltName
echo ""
echo "Now restart openbao service:"
echo " systemctl restart openbao"
echo ""
echo "After restart, verify ACME endpoint is accessible:"
echo " curl https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory"
echo ""
echo "Once working, ACME will automatically manage certificate renewals."
'';
};
in
{
# Make bootstrap script available as a command
environment.systemPackages = [ bootstrapCertScript ];
services.openbao = {
enable = true;
@@ -101,8 +182,8 @@ in
systemd.services.openbao.serviceConfig = {
LoadCredential = [
"key.pem:/var/lib/openbao/key.pem"
"cert.pem:/var/lib/openbao/cert.pem"
"key.pem:/var/lib/acme/vault01.home.2rjus.net/key.pem"
"cert.pem:/var/lib/acme/vault01.home.2rjus.net/fullchain.pem"
];
# TPM2-encrypted unseal key (created manually, see setup instructions)
LoadCredentialEncrypted = [
@@ -110,5 +191,16 @@ in
];
# Auto-unseal on service start
ExecStartPost = "${unsealScript}/bin/openbao-unseal";
# Add openbao user to acme group to read certificates
SupplementaryGroups = [ "acme" ];
};
# ACME certificate management
# Bootstrapped with bootstrap-vault-cert, now managed by ACME
security.acme.certs."vault01.home.2rjus.net" = {
server = "https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory";
listenHTTP = ":80";
reloadServices = [ "openbao" ];
extraDomainNames = [ "vault.home.2rjus.net" ];
};
}