Torjus Håkestad
fd24ec4a8d
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m16s
60 lines
1.8 KiB
Nix
60 lines
1.8 KiB
Nix
{ pkgs, ... }:
|
|
{
|
|
services.openbao = {
|
|
enable = true;
|
|
|
|
settings = {
|
|
ui = true;
|
|
|
|
storage.file.path = "/var/lib/openbao";
|
|
listener.default = {
|
|
type = "tcp";
|
|
address = "0.0.0.0:8200";
|
|
tls_cert_file = "/run/credentials/openbao.service/cert.pem";
|
|
tls_key_file = "/run/credentials/openbao.service/key.pem";
|
|
};
|
|
listener.socket = {
|
|
type = "unix";
|
|
address = "/run/openbao/openbao.sock";
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.services.openbao = {
|
|
serviceConfig = {
|
|
LoadCredential = [
|
|
"key.pem:/var/lib/openbao/key.pem"
|
|
"cert.pem:/var/lib/openbao/cert.pem"
|
|
];
|
|
# TPM2-encrypted unseal key (created manually, see setup instructions)
|
|
LoadCredentialEncrypted = [
|
|
"unseal-key:/var/lib/openbao/unseal-key.cred"
|
|
];
|
|
};
|
|
|
|
# Auto-unseal on service start
|
|
postStart = ''
|
|
# Wait for OpenBao to be ready and sealed
|
|
echo "Waiting for OpenBao to be ready..."
|
|
for i in {1..30}; do
|
|
if ${pkgs.curl}/bin/curl -sk https://127.0.0.1:8200/v1/sys/health 2>/dev/null | ${pkgs.jq}/bin/jq -e '.sealed == true' >/dev/null 2>&1; then
|
|
echo "OpenBao is ready and sealed, proceeding with unseal"
|
|
break
|
|
fi
|
|
sleep 1
|
|
done
|
|
|
|
# Unseal using the TPM-decrypted key
|
|
if [ -f "$CREDENTIALS_DIRECTORY/unseal-key" ]; then
|
|
echo "Unsealing OpenBao..."
|
|
UNSEAL_KEY=$(cat "$CREDENTIALS_DIRECTORY/unseal-key")
|
|
${pkgs.openbao}/bin/bao operator unseal -address=https://127.0.0.1:8200 -tls-skip-verify "$UNSEAL_KEY"
|
|
echo "OpenBao unsealed successfully"
|
|
else
|
|
echo "WARNING: Unseal key credential not found, OpenBao remains sealed"
|
|
exit 0 # Don't fail the service, just log the warning
|
|
fi
|
|
'';
|
|
};
|
|
}
|