flake: add openbao to devshell

vault: replace vault with openbao
ns: add vault01 host to zone
2026-02-01 22:16:52 +01:00 · 2026-02-01 22:16:52 +01:00 · 2026-02-01 20:54:22 +01:00 · 2026-02-01 20:54:05 +01:00
4 changed files with 62 additions and 33 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -334,38 +334,38 @@
            sops-nix.nixosModules.sops
          ];
        };
-      testvm01 = nixpkgs.lib.nixosSystem {
-        inherit system;
-        specialArgs = {
-          inherit inputs self sops-nix;
+        testvm01 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/testvm01
+            sops-nix.nixosModules.sops
+          ];
        };
-        modules = [
-          (
-            { config, pkgs, ... }:
-            {
-              nixpkgs.overlays = commonOverlays;
-            }
-          )
-          ./hosts/testvm01
-          sops-nix.nixosModules.sops
-        ];
-      };
-      vault01 = nixpkgs.lib.nixosSystem {
-        inherit system;
-        specialArgs = {
-          inherit inputs self sops-nix;
+        vault01 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/vault01
+            sops-nix.nixosModules.sops
+          ];
        };
-        modules = [
-          (
-            { config, pkgs, ... }:
-            {
-              nixpkgs.overlays = commonOverlays;
-            }
-          )
-          ./hosts/vault01
-          sops-nix.nixosModules.sops
-        ];
-      };
      };
      packages = forAllSystems (
        { pkgs }:
@@ -380,6 +380,7 @@
            packages = with pkgs; [
              ansible
              opentofu
+              openbao
              (pkgs.callPackage ./scripts/create-host { })
            ];
          };
--- a/services/ns/zones-home-2rjus-net.conf
+++ b/services/ns/zones-home-2rjus-net.conf
@@ -1,7 +1,7 @@
 $ORIGIN home.2rjus.net.
 $TTL 1800
@       IN      SOA     ns1.home.2rjus.net.      admin.test.2rjus.net. (
-                        2063                    ; serial number
+                        2064                    ; serial number
                        3600                    ; refresh
                        900                     ; retry
                        1209600                 ; expire
@@ -63,6 +63,7 @@ actions1            IN      CNAME   nix-cache01
 pgdb1               IN      A       10.69.13.16
 nats1               IN      A       10.69.13.17
 auth01              IN      A       10.69.13.18
+vault01             IN      A       10.69.13.19

 ; http-proxy cnames
 nzbget              IN      CNAME   http-proxy
--- a/services/vault/default.nix
+++ b/services/vault/default.nix
@@ -1,8 +1,29 @@
 { ... }:
 {
-  services.vault = {
+  services.openbao = {
    enable = true;

-    storageBackend = "file";
+    settings = {
+      ui = true;
+
+      storage.file.path = "/var/lib/openbao";
+      listener.default = {
+        type = "tcp";
+        address = "0.0.0.0:8200";
+        tls_cert_file = "/run/credentials/openbao.service/cert.pem";
+        tls_key_file = "/run/credentials/openbao.service/key.pem";
+      };
+      listener.socket = {
+        type = "unix";
+        address = "/run/openbao/openbao.sock";
+      };
+    };
+  };
+
+  systemd.services.openbao.serviceConfig = {
+    LoadCredential = [
+      "key.pem:/var/lib/openbao/key.pem"
+      "cert.pem:/var/lib/openbao/cert.pem"
+    ];
  };
 }
--- a/terraform/vms.tf
+++ b/terraform/vms.tf
@@ -43,6 +43,7 @@ locals {
      cpu_cores = 2
      memory    = 2048
      disk_size = "20G"
+      flake_branch = "vault-setup"  # Bootstrap from this branch instead of master
    }
  }

@@ -118,6 +119,11 @@ resource "proxmox_vm_qemu" "vm" {
    }
  }

+  # TPM device
+  tpm_state {
+    storage = each.value.storage
+  }
+
  # Start on boot
  start_at_node_boot = true
Author	SHA1	Message	Date
Torjus Håkestad	4133eafc4e	flake: add openbao to devshell Some checks failed Run nix flake check / flake-check (push) Failing after 18m52s Details	2026-02-01 22:16:52 +01:00
Torjus Håkestad	ace848b29c	vault: replace vault with openbao	2026-02-01 22:16:52 +01:00
Torjus Håkestad	b012df9f34	ns: add vault01 host to zone Some checks failed Run nix flake check / flake-check (push) Failing after 15m40s Details Periodic flake update / flake-update (push) Successful in 1m7s Details	2026-02-01 20:54:22 +01:00
Torjus Håkestad	ab053c25bd	opentofu: add tmp device to vms	2026-02-01 20:54:05 +01:00