torjus/nixos-servers
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
ccb1c3fe2e095e484e9231e9c6bcfba7ac6e5d04
nixos-servers/docs/plans/sops-to-openbao-migration.md
Torjus Håkestad 0700033c0a secrets: migrate all hosts from sops to OpenBao vault 
Replace sops-nix secrets with OpenBao vault secrets across all hosts.
Hardcode root password hash, add extractKey option to vault-secrets
module, update Terraform with secrets/policies for all hosts, and
create AppRole provisioning playbook.

Hosts migrated: ha1, monitoring01, ns1, ns2, http-proxy, nix-cache01
Wave 1 hosts (nats1, jelly01, pgdb1) get AppRole policies only.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 18:43:09 +01:00

2.4 KiB
Raw Blame History

Sops to OpenBao Secrets Migration Plan

Status: In Progress

Overview

Migrate all hosts from sops-nix secrets to OpenBao (vault) secrets management. Pilot with ha1, then roll out to remaining hosts in waves.

Pre-requisites (completed)

  1. Hardcoded root password hash in system/root-user.nix (removes sops dependency for all hosts)
  2. Added extractKey option to system/vault-secrets.nix (extracts single key as file)

Deployment Order

Pilot: ha1

  • Terraform: shared/backup/password secret, ha1 AppRole policy
  • Provision AppRole credentials via playbooks/provision-approle.yml
  • NixOS: vault.enable + backup-helper vault secret

Wave 1: nats1, jelly01, pgdb1

  • No service secrets (only root password, already handled)
  • Just need AppRole policies + credential provisioning

Wave 2: monitoring01

  • 3 secrets: backup password, nats nkey, pve-exporter config
  • Updates: alerttonotify.nix, pve.nix, configuration.nix

Wave 3: ns1, then ns2 (critical - deploy ns1 first, verify, then ns2)

  • DNS zone transfer key (shared/dns/xfer-key)

Wave 4: http-proxy

  • WireGuard private key

Wave 5: nix-cache01

  • Cache signing key + Gitea Actions token

Wave 6: ca (DEFERRED - waiting for PKI migration)

Skipped: auth01 (decommissioned)

Terraform variables needed

User must extract from sops and add to terraform/vault/terraform.tfvars:

Variable Source
backup_helper_secret sops -d secrets/secrets.yaml
ns_xfer_key sops -d secrets/secrets.yaml
nats_nkey sops -d secrets/secrets.yaml
pve_exporter_config sops -d secrets/monitoring01/pve-exporter.yaml
wireguard_private_key sops -d secrets/http-proxy/wireguard.yaml
cache_signing_key sops -d secrets/nix-cache01/cache-secret
actions_token_1 sops -d secrets/nix-cache01/actions_token_1

Provisioning AppRole credentials

export BAO_ADDR='https://vault01.home.2rjus.net:8200'
export BAO_TOKEN='<root-token>'
nix develop -c ansible-playbook playbooks/provision-approle.yml -e hostname=<host>

Verification (per host)

  1. systemctl status vault-secret-* - all secret fetch services succeeded
  2. Check secret files exist at expected paths with correct permissions
  3. Verify dependent services are running
  4. Check /var/lib/vault/cache/ is populated (fallback ready)
  5. Reboot host to verify boot-time secret fetching works
Reference in New Issue View Git Blame Copy Permalink