Torjus Håkestad
c694b9889a
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m16s
39 lines
961 B
Markdown
39 lines
961 B
Markdown
# OpenBao Service Module
|
|
|
|
NixOS service module for OpenBao (open-source Vault fork) with TPM2-based auto-unsealing.
|
|
|
|
## Features
|
|
|
|
- TLS-enabled TCP listener on `0.0.0.0:8200`
|
|
- Unix socket listener at `/run/openbao/openbao.sock`
|
|
- File-based storage at `/var/lib/openbao`
|
|
- TPM2 auto-unseal on service start
|
|
|
|
## Configuration
|
|
|
|
The module expects:
|
|
- TLS certificate: `/var/lib/openbao/cert.pem`
|
|
- TLS private key: `/var/lib/openbao/key.pem`
|
|
- TPM2-encrypted unseal key: `/var/lib/openbao/unseal-key.cred`
|
|
|
|
Certificates are loaded via systemd `LoadCredential`, and the unseal key via `LoadCredentialEncrypted`.
|
|
|
|
## Setup
|
|
|
|
For initial setup and configuration instructions, see:
|
|
- **Auto-unseal setup**: `/docs/vault/auto-unseal.md`
|
|
- **Terraform configuration**: `/terraform/vault/README.md`
|
|
|
|
## Usage
|
|
|
|
```bash
|
|
# Check seal status
|
|
bao status
|
|
|
|
# Manually seal (for maintenance)
|
|
bao operator seal
|
|
|
|
# Service will auto-unseal on restart
|
|
systemctl restart openbao
|
|
```
|