Torjus Håkestad
3cccfc0487
Some checks failed
Run nix flake check / flake-check (push) Failing after 7m36s
Add exporters and scrape targets for services lacking monitoring: - PostgreSQL: postgres-exporter on pgdb1 - Authelia: native telemetry metrics on auth01 - Unbound: unbound-exporter with remote-control on ns1/ns2 - NATS: HTTP monitoring endpoint on nats1 - OpenBao: telemetry config and Prometheus scrape with token auth - Systemd: systemd-exporter on all hosts for per-service metrics Add alert rules for postgres, auth (authelia + lldap), jellyfin, vault (openbao), plus extend existing nats and unbound rules. Add Terraform config for Prometheus metrics policy and token. The token is created via vault_token resource and stored in KV, so no manual token creation is needed. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
OpenBao Service Module
NixOS service module for OpenBao (open-source Vault fork) with TPM2-based auto-unsealing.
Features
- TLS-enabled TCP listener on
0.0.0.0:8200 - Unix socket listener at
/run/openbao/openbao.sock - File-based storage at
/var/lib/openbao - TPM2 auto-unseal on service start
Configuration
The module expects:
- TLS certificate:
/var/lib/openbao/cert.pem - TLS private key:
/var/lib/openbao/key.pem - TPM2-encrypted unseal key:
/var/lib/openbao/unseal-key.cred
Certificates are loaded via systemd LoadCredential, and the unseal key via LoadCredentialEncrypted.
Setup
For initial setup and configuration instructions, see:
- Auto-unseal setup:
/docs/vault/auto-unseal.md - Terraform configuration:
/terraform/vault/README.md
Usage
# Check seal status
bao status
# Manually seal (for maintenance)
bao operator seal
# Service will auto-unseal on restart
systemctl restart openbao