torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
39fa38534e94795a65a9fac1a25b61f7b20666ca
nixos-servers/services/vault/default.nix
Torjus Håkestad 39fa38534e
Some checks failed
Run nix flake check / flake-check (push) Failing after 6m24s
Details
vault: add auto-unseal
2026-02-01 23:55:45 +01:00

86 lines
2.3 KiB
Nix
Raw Blame History

{ pkgs, ... }:
let
unsealScript = pkgs.writeShellApplication {
name = "openbao-unseal";
runtimeInputs = with pkgs; [ openbao coreutils gnugrep ];
text = ''
# Set environment to use Unix socket
export BAO_ADDR='unix:///run/openbao/openbao.sock'
# Wait for OpenBao to be ready (accepting connections)
echo "Waiting for OpenBao to be ready..."
for _ in {1..30}; do
if bao status 2>&1 | grep -qE "(Sealed|Initialized)"; then
echo "OpenBao is ready"
break
fi
sleep 1
done
# Check if already unsealed
if bao status 2>&1 | grep -q "Sealed.*false"; then
echo "OpenBao is already unsealed"
exit 0
fi
# Unseal using the TPM-decrypted keys (one per line)
if [ -f "$CREDENTIALS_DIRECTORY/unseal-key" ]; then
echo "Unsealing OpenBao..."
while IFS= read -r key; do
# Skip empty lines
[ -z "$key" ] && continue
echo "Applying unseal key..."
bao operator unseal "$key"
# Check if unsealed after each key
if bao status 2>&1 | grep -q "Sealed.*false"; then
echo "OpenBao unsealed successfully"
exit 0
fi
done < "$CREDENTIALS_DIRECTORY/unseal-key"
echo "WARNING: Applied all keys but OpenBao is still sealed"
exit 0
else
echo "WARNING: Unseal key credential not found, OpenBao remains sealed"
exit 0
fi
'';
};
in
{
services.openbao = {
enable = true;
settings = {
ui = true;
storage.file.path = "/var/lib/openbao";
listener.default = {
type = "tcp";
address = "0.0.0.0:8200";
tls_cert_file = "/run/credentials/openbao.service/cert.pem";
tls_key_file = "/run/credentials/openbao.service/key.pem";
};
listener.socket = {
type = "unix";
address = "/run/openbao/openbao.sock";
};
};
};
systemd.services.openbao.serviceConfig = {
LoadCredential = [
"key.pem:/var/lib/openbao/key.pem"
"cert.pem:/var/lib/openbao/cert.pem"
];
# TPM2-encrypted unseal key (created manually, see setup instructions)
LoadCredentialEncrypted = [
"unseal-key:/var/lib/openbao/unseal-key.cred"
];
# Auto-unseal on service start
ExecStartPost = "${unsealScript}/bin/openbao-unseal";
};
}
Reference in New Issue View Git Blame Copy Permalink