Torjus Håkestad
c694b9889a
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m16s
115 lines
3.1 KiB
Nix
115 lines
3.1 KiB
Nix
{ pkgs, ... }:
|
|
let
|
|
unsealScript = pkgs.writeShellApplication {
|
|
name = "openbao-unseal";
|
|
runtimeInputs = with pkgs; [
|
|
openbao
|
|
coreutils
|
|
gnugrep
|
|
getent
|
|
];
|
|
text = ''
|
|
# Set environment to use Unix socket
|
|
export BAO_ADDR='unix:///run/openbao/openbao.sock'
|
|
SOCKET_PATH="/run/openbao/openbao.sock"
|
|
CREDS_DIR="''${CREDENTIALS_DIRECTORY:-}"
|
|
|
|
# Wait for socket to exist
|
|
echo "Waiting for OpenBao socket..."
|
|
for _ in {1..30}; do
|
|
if [ -S "$SOCKET_PATH" ]; then
|
|
echo "Socket exists"
|
|
break
|
|
fi
|
|
sleep 1
|
|
done
|
|
|
|
# Wait for OpenBao to accept connections
|
|
echo "Waiting for OpenBao to be ready..."
|
|
for _ in {1..30}; do
|
|
output=$(timeout 2 bao status 2>&1 || true)
|
|
|
|
if echo "$output" | grep -q "Sealed.*false"; then
|
|
# Already unsealed
|
|
echo "OpenBao is already unsealed"
|
|
exit 0
|
|
elif echo "$output" | grep -qE "(Sealed|Initialized)"; then
|
|
# Got a valid response, OpenBao is ready (sealed)
|
|
echo "OpenBao is ready"
|
|
break
|
|
fi
|
|
|
|
sleep 1
|
|
done
|
|
|
|
# Check if already unsealed
|
|
if output=$(timeout 2 bao status 2>&1 || true); then
|
|
if echo "$output" | grep -q "Sealed.*false"; then
|
|
echo "OpenBao is already unsealed"
|
|
exit 0
|
|
fi
|
|
fi
|
|
|
|
# Unseal using the TPM-decrypted keys (one per line)
|
|
if [ -n "$CREDS_DIR" ] && [ -f "$CREDS_DIR/unseal-key" ]; then
|
|
echo "Unsealing OpenBao..."
|
|
while IFS= read -r key; do
|
|
# Skip empty lines
|
|
[ -z "$key" ] && continue
|
|
|
|
echo "Applying unseal key..."
|
|
bao operator unseal "$key"
|
|
|
|
# Check if unsealed after each key
|
|
if output=$(timeout 2 bao status 2>&1 || true); then
|
|
if echo "$output" | grep -q "Sealed.*false"; then
|
|
echo "OpenBao unsealed successfully"
|
|
exit 0
|
|
fi
|
|
fi
|
|
done < "$CREDS_DIR/unseal-key"
|
|
|
|
echo "WARNING: Applied all keys but OpenBao is still sealed"
|
|
exit 0
|
|
else
|
|
echo "WARNING: Unseal key credential not found, OpenBao remains sealed"
|
|
exit 0
|
|
fi
|
|
'';
|
|
};
|
|
in
|
|
{
|
|
services.openbao = {
|
|
enable = true;
|
|
|
|
settings = {
|
|
ui = true;
|
|
|
|
storage.file.path = "/var/lib/openbao";
|
|
listener.default = {
|
|
type = "tcp";
|
|
address = "0.0.0.0:8200";
|
|
tls_cert_file = "/run/credentials/openbao.service/cert.pem";
|
|
tls_key_file = "/run/credentials/openbao.service/key.pem";
|
|
};
|
|
listener.socket = {
|
|
type = "unix";
|
|
address = "/run/openbao/openbao.sock";
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.services.openbao.serviceConfig = {
|
|
LoadCredential = [
|
|
"key.pem:/var/lib/openbao/key.pem"
|
|
"cert.pem:/var/lib/openbao/cert.pem"
|
|
];
|
|
# TPM2-encrypted unseal key (created manually, see setup instructions)
|
|
LoadCredentialEncrypted = [
|
|
"unseal-key:/var/lib/openbao/unseal-key.cred"
|
|
];
|
|
# Auto-unseal on service start
|
|
ExecStartPost = "${unsealScript}/bin/openbao-unseal";
|
|
};
|
|
}
|