vault: add auto-unseal

2026-02-01 23:39:11 +01:00
parent 3f2f91aedd
commit fd24ec4a8d
3 changed files with 252 additions and 6 deletions
--- a/services/vault/default.nix
+++ b/services/vault/default.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:
 {
  services.openbao = {
    enable = true;
@@ -20,10 +20,40 @@
    };
  };

-  systemd.services.openbao.serviceConfig = {
-    LoadCredential = [
-      "key.pem:/var/lib/openbao/key.pem"
-      "cert.pem:/var/lib/openbao/cert.pem"
-    ];
+  systemd.services.openbao = {
+    serviceConfig = {
+      LoadCredential = [
+        "key.pem:/var/lib/openbao/key.pem"
+        "cert.pem:/var/lib/openbao/cert.pem"
+      ];
+      # TPM2-encrypted unseal key (created manually, see setup instructions)
+      LoadCredentialEncrypted = [
+        "unseal-key:/var/lib/openbao/unseal-key.cred"
+      ];
+    };
+
+    # Auto-unseal on service start
+    postStart = ''
+      # Wait for OpenBao to be ready and sealed
+      echo "Waiting for OpenBao to be ready..."
+      for i in {1..30}; do
+        if ${pkgs.curl}/bin/curl -sk https://127.0.0.1:8200/v1/sys/health 2>/dev/null | ${pkgs.jq}/bin/jq -e '.sealed == true' >/dev/null 2>&1; then
+          echo "OpenBao is ready and sealed, proceeding with unseal"
+          break
+        fi
+        sleep 1
+      done
+
+      # Unseal using the TPM-decrypted key
+      if [ -f "$CREDENTIALS_DIRECTORY/unseal-key" ]; then
+        echo "Unsealing OpenBao..."
+        UNSEAL_KEY=$(cat "$CREDENTIALS_DIRECTORY/unseal-key")
+        ${pkgs.openbao}/bin/bao operator unseal -address=https://127.0.0.1:8200 -tls-skip-verify "$UNSEAL_KEY"
+        echo "OpenBao unsealed successfully"
+      else
+        echo "WARNING: Unseal key credential not found, OpenBao remains sealed"
+        exit 0  # Don't fail the service, just log the warning
+      fi
+    '';
  };
 }