torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

migrate-to-openbao-pki #31

Merged
torjus merged 3 commits from migrate-to-openbao-pki into master 2026-02-07 17:33:47 +00:00
Conversation 0 Commits 3 Files Changed 11 +111 -144
torjus commented 2026-02-07 17:33:31 +00:00
Owner
Copy Link

Migration: step-ca to OpenBao PKI

Summary

Migrated all ACME certificate issuance from step-ca (ca.home.2rjus.net) to OpenBao PKI (vault.home.2rjus.net:8200/v1/pki_int/acme/directory). Also removed the labmon certificate monitoring service which was step-ca specific.

Commits

Commit Description
21db7e9 acme: migrate from step-ca to OpenBao PKI
9d019f2 testvm01: add nginx with ACME certificate for PKI testing
46f0387 docs: update CLAUDE.md for PR creation and labmon removal

Files Changed

File Change
system/acme.nix Updated default ACME server URL
services/http-proxy/proxy.nix Updated Caddy acme_ca URL
services/nix-cache/proxy.nix Updated Caddy acme_ca URL
hosts/monitoring01/configuration.nix Removed labmon configuration (55 lines)
services/monitoring/prometheus.nix Removed labmon scrape target
services/monitoring/rules.yml Removed certificate_rules alert group (34 lines)
services/monitoring/default.nix Removed alloy.nix import
services/monitoring/alloy.nix Deleted (only used for labmon profiling)
hosts/testvm01/configuration.nix Added nginx with ACME cert for testing
docs/plans/cert-monitoring.md Created plan for future cert monitoring
CLAUDE.md Updated docs (PR creation note, removed labmon references)

Deployments

Host Status Notes
testvm01 Deployed Fresh ACME cert from OpenBao PKI verified
http-proxy Deployed Config updated, will use OpenBao on next cert renewal
monitoring01 Deployed labmon stopped, scrape target removed
nix-cache01 Pending Will pick up changes on auto-upgrade after merge
Other hosts Pending Will pick up changes on auto-upgrade after merge

Verification

testvm01 - New Certificate

subject: CN=testvm01.home.2rjus.net
issuer: C=NO; O=Homelab; CN=Homelab Intermediate CA

http-proxy - Existing Certificate (will renew from OpenBao)

issuer: O=home.2rjus.net CA; CN=home.2rjus.net CA Intermediate CA

Caddy will fetch new certs from OpenBao when current ones approach expiry.

monitoring01 - labmon Removed

  • Service stopped: labmon.service: Deactivated successfully
  • Scrape target removed from Prometheus (77 active targets, no labmon)
  • Alloy failing to scrape labmon (expected): connection refused

Next Steps

  1. Create PR and merge to master
  2. Let auto-upgrade propagate to remaining hosts
  3. Deploy to nix-cache01 when convenient
  4. Eventually decommission step-ca on ca host

Rollback

If issues occur, revert the ACME server changes. Existing step-ca certificates remain valid for up to 75 days.

# Migration: step-ca to OpenBao PKI ## Summary Migrated all ACME certificate issuance from step-ca (`ca.home.2rjus.net`) to OpenBao PKI (`vault.home.2rjus.net:8200/v1/pki_int/acme/directory`). Also removed the labmon certificate monitoring service which was step-ca specific. ## Commits | Commit | Description | |--------|-------------| | `21db7e9` | acme: migrate from step-ca to OpenBao PKI | | `9d019f2` | testvm01: add nginx with ACME certificate for PKI testing | | `46f0387` | docs: update CLAUDE.md for PR creation and labmon removal | ## Files Changed | File | Change | |------|--------| | `system/acme.nix` | Updated default ACME server URL | | `services/http-proxy/proxy.nix` | Updated Caddy `acme_ca` URL | | `services/nix-cache/proxy.nix` | Updated Caddy `acme_ca` URL | | `hosts/monitoring01/configuration.nix` | Removed labmon configuration (55 lines) | | `services/monitoring/prometheus.nix` | Removed labmon scrape target | | `services/monitoring/rules.yml` | Removed `certificate_rules` alert group (34 lines) | | `services/monitoring/default.nix` | Removed alloy.nix import | | `services/monitoring/alloy.nix` | Deleted (only used for labmon profiling) | | `hosts/testvm01/configuration.nix` | Added nginx with ACME cert for testing | | `docs/plans/cert-monitoring.md` | Created plan for future cert monitoring | | `CLAUDE.md` | Updated docs (PR creation note, removed labmon references) | ## Deployments | Host | Status | Notes | |------|--------|-------| | testvm01 | ✅ Deployed | Fresh ACME cert from OpenBao PKI verified | | http-proxy | ✅ Deployed | Config updated, will use OpenBao on next cert renewal | | monitoring01 | ✅ Deployed | labmon stopped, scrape target removed | | nix-cache01 | ⏳ Pending | Will pick up changes on auto-upgrade after merge | | Other hosts | ⏳ Pending | Will pick up changes on auto-upgrade after merge | ## Verification ### testvm01 - New Certificate ``` subject: CN=testvm01.home.2rjus.net issuer: C=NO; O=Homelab; CN=Homelab Intermediate CA ``` ### http-proxy - Existing Certificate (will renew from OpenBao) ``` issuer: O=home.2rjus.net CA; CN=home.2rjus.net CA Intermediate CA ``` Caddy will fetch new certs from OpenBao when current ones approach expiry. ### monitoring01 - labmon Removed - Service stopped: `labmon.service: Deactivated successfully` - Scrape target removed from Prometheus (77 active targets, no labmon) - Alloy failing to scrape labmon (expected): `connection refused` ## Next Steps 1. Create PR and merge to master 2. Let auto-upgrade propagate to remaining hosts 3. Deploy to nix-cache01 when convenient 4. Eventually decommission step-ca on `ca` host ## Rollback If issues occur, revert the ACME server changes. Existing step-ca certificates remain valid for up to 75 days.
torjus added 3 commits 2026-02-07 17:33:32 +00:00
acme: migrate from step-ca to OpenBao PKI 21db7e9573 
Switch all ACME certificate issuance from step-ca (ca.home.2rjus.net)
to OpenBao PKI (vault.home.2rjus.net:8200/v1/pki_int/acme/directory).

- Update default ACME server in system/acme.nix
- Update Caddy acme_ca in http-proxy and nix-cache services
- Remove labmon service from monitoring01 (step-ca monitoring)
- Remove labmon scrape target and certificate_rules alerts
- Remove alloy.nix (only used for labmon profiling)
- Add docs/plans/cert-monitoring.md for future cert monitoring needs

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
testvm01: add nginx with ACME certificate for PKI testing
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Details
9d019f2b9a 
Set up a simple nginx server with an ACME certificate from the new
OpenBao PKI infrastructure. This allows testing the ACME migration
before deploying to production hosts.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: update CLAUDE.md for PR creation and labmon removal
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Details
Run nix flake check / flake-check (pull_request) Failing after 1s
Details
46f03871f1 
- Add note that gh pr create is not supported
- Remove labmon from Prometheus job names list
- Remove labmon from flake inputs list

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
torjus merged commit 3a25e3f7bc into master 2026-02-07 17:33:47 +00:00
torjus deleted branch migrate-to-openbao-pki 2026-02-07 17:33:47 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
torjus
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: torjus/nixos-servers#31
Delete Branch "migrate-to-openbao-pki"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?