torjus/nixos-servers
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

sops-to-openbao-migration #19

Merged
torjus merged 3 commits from sops-to-openbao-migration into master 2026-02-05 18:44:54 +00:00
Conversation 0 Commits 3 Files Changed 21 +390 -47
torjus commented 2026-02-05 18:42:44 +00:00
Owner
Copy Link

Sops to OpenBao Secrets Migration

Summary

Migrate all hosts from sops-nix secrets management to OpenBao (Vault) with AppRole authentication. This removes the dependency on sops-encrypted files for runtime secrets across the infrastructure.

Changes

Global pre-requisites:

  • Hardcoded root password hash in system/root-user.nix, removing the sops dependency that affected all hosts
  • Added extractKey option to system/vault-secrets.nix - allows extracting a single key from a vault secret JSON and writing it as a plain file (needed by most services that expect a file, not a directory)
  • Fixed multiline secret handling in scripts/vault-fetch/vault-fetch.sh - the previous read-based loop truncated multiline values like the PVE exporter YAML config

Terraform (terraform/vault/):

  • Added secrets for all hosts: shared backup password (auto-generated), NATS nkey, PVE exporter config, DNS transfer key, WireGuard private key, nix cache signing key, and Gitea Actions token
  • Added AppRole policies for all migrated hosts: ha1, monitoring01, ns1, ns2, http-proxy, nix-cache01, nats1, jelly01, pgdb1

Ansible:

  • New playbooks/provision-approle.yml - reusable playbook to provision AppRole credentials to any host

NixOS host/service changes (sops → vault):

  • hosts/ha1 - backup password
  • hosts/monitoring01 - backup password
  • services/monitoring/alerttonotify.nix - NATS nkey
  • services/monitoring/pve.nix - PVE exporter config
  • services/ns/master-authorative.nix - DNS transfer key
  • services/ns/secondary-authorative.nix - DNS transfer key
  • hosts/http-proxy/wireguard.nix - WireGuard private key
  • services/nix-cache/harmonia.nix - cache signing key
  • services/actions-runner/default.nix - Gitea Actions token
  • Enabled vault.enable on: ns1, ns2, http-proxy, nix-cache01

Tested

  • ha1: vault secret fetch, backup service working
  • monitoring01: all 3 secrets (backup, nats nkey, pve-exporter) verified working

Not migrated

  • ca: deferred, waiting for PKI migration
  • auth01: skipped, decommissioned
  • Wave 1 hosts (nats1, jelly01, pgdb1): AppRole provisioned but no service secrets to migrate (root password already handled globally)
## Sops to OpenBao Secrets Migration ### Summary Migrate all hosts from sops-nix secrets management to OpenBao (Vault) with AppRole authentication. This removes the dependency on sops-encrypted files for runtime secrets across the infrastructure. ### Changes **Global pre-requisites:** - Hardcoded root password hash in `system/root-user.nix`, removing the sops dependency that affected all hosts - Added `extractKey` option to `system/vault-secrets.nix` - allows extracting a single key from a vault secret JSON and writing it as a plain file (needed by most services that expect a file, not a directory) - Fixed multiline secret handling in `scripts/vault-fetch/vault-fetch.sh` - the previous `read`-based loop truncated multiline values like the PVE exporter YAML config **Terraform (`terraform/vault/`):** - Added secrets for all hosts: shared backup password (auto-generated), NATS nkey, PVE exporter config, DNS transfer key, WireGuard private key, nix cache signing key, and Gitea Actions token - Added AppRole policies for all migrated hosts: ha1, monitoring01, ns1, ns2, http-proxy, nix-cache01, nats1, jelly01, pgdb1 **Ansible:** - New `playbooks/provision-approle.yml` - reusable playbook to provision AppRole credentials to any host **NixOS host/service changes (sops → vault):** - `hosts/ha1` - backup password - `hosts/monitoring01` - backup password - `services/monitoring/alerttonotify.nix` - NATS nkey - `services/monitoring/pve.nix` - PVE exporter config - `services/ns/master-authorative.nix` - DNS transfer key - `services/ns/secondary-authorative.nix` - DNS transfer key - `hosts/http-proxy/wireguard.nix` - WireGuard private key - `services/nix-cache/harmonia.nix` - cache signing key - `services/actions-runner/default.nix` - Gitea Actions token - Enabled `vault.enable` on: ns1, ns2, http-proxy, nix-cache01 ### Tested - **ha1**: vault secret fetch, backup service working - **monitoring01**: all 3 secrets (backup, nats nkey, pve-exporter) verified working ### Not migrated - **ca**: deferred, waiting for PKI migration - **auth01**: skipped, decommissioned - **Wave 1 hosts** (nats1, jelly01, pgdb1): AppRole provisioned but no service secrets to migrate (root password already handled globally)
torjus added 3 commits 2026-02-05 18:42:44 +00:00
secrets: migrate all hosts from sops to OpenBao vault 0700033c0a 
Replace sops-nix secrets with OpenBao vault secrets across all hosts.
Hardcode root password hash, add extractKey option to vault-secrets
module, update Terraform with secrets/policies for all hosts, and
create AppRole provisioning playbook.

Hosts migrated: ha1, monitoring01, ns1, ns2, http-proxy, nix-cache01
Wave 1 hosts (nats1, jelly01, pgdb1) get AppRole policies only.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
terraform: auto-generate backup password instead of manual
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m19s
Details
ccb1c3fe2e 
Remove backup_helper_secret variable and switch shared/backup/password
to auto_generate. New password will be added alongside existing restic
repository key.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
vault-fetch: fix multiline secret values being truncated
Some checks failed
Run nix flake check / flake-check (pull_request) Successful in 2m5s
Details
Run nix flake check / flake-check (push) Failing after 16m11s
Details
2c9d86eaf2 
The read-based loop split multiline values on newlines, causing only
the first line to be written. Use jq -j to write each key's value
directly to files, preserving multiline content.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
torjus merged commit a46fbdaa70 into master 2026-02-05 18:44:54 +00:00
torjus deleted branch sops-to-openbao-migration 2026-02-05 18:44:54 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
torjus
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: torjus/nixos-servers#19
Delete Branch "sops-to-openbao-migration"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?