torjus/nixos-servers
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects 1 Releases Wiki Activity
Files
01d48122806e30a03d091d33d0948f8475d5213c
nixos-servers/services/vault
History
Torjus Håkestad c694b9889a
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m16s
Details
vault: add auto-unseal
2026-02-02 00:28:24 +01:00
..
default.nix
vault: add auto-unseal
2026-02-02 00:28:24 +01:00
README.md
vault: add auto-unseal
2026-02-02 00:28:24 +01:00

README.md

OpenBao Service Module

NixOS service module for OpenBao (open-source Vault fork) with TPM2-based auto-unsealing.

Features

  • TLS-enabled TCP listener on 0.0.0.0:8200
  • Unix socket listener at /run/openbao/openbao.sock
  • File-based storage at /var/lib/openbao
  • TPM2 auto-unseal on service start

Configuration

The module expects:

  • TLS certificate: /var/lib/openbao/cert.pem
  • TLS private key: /var/lib/openbao/key.pem
  • TPM2-encrypted unseal key: /var/lib/openbao/unseal-key.cred

Certificates are loaded via systemd LoadCredential, and the unseal key via LoadCredentialEncrypted.

Setup

For initial setup and configuration instructions, see:

  • Auto-unseal setup: /docs/vault/auto-unseal.md
  • Terraform configuration: /terraform/vault/README.md

Usage

# Check seal status
bao status

# Manually seal (for maintenance)
bao operator seal

# Service will auto-unseal on restart
systemctl restart openbao
Reference in New Issue View Git Blame Copy Permalink