From 07d87070f183b40e179404250148e4ad1257bd73 Mon Sep 17 00:00:00 2001 From: "RingOfStorms (Joshua Bell)" Date: Tue, 6 Jan 2026 21:07:49 -0600 Subject: [PATCH] idk more stuff --- flakes/secrets-bao/flake.nix | 46 +++++++++++++++- flakes/secrets-bao/nixos-module.nix | 83 ++++++++++++++++------------- hosts/juni/flake.nix | 2 +- 3 files changed, 91 insertions(+), 40 deletions(-) diff --git a/flakes/secrets-bao/flake.nix b/flakes/secrets-bao/flake.nix index 47347336..17477147 100644 --- a/flakes/secrets-bao/flake.nix +++ b/flakes/secrets-bao/flake.nix @@ -18,6 +18,27 @@ else value; + deepMerge = a: b: + if builtins.isAttrs a && builtins.isAttrs b then + builtins.foldl' + (acc: key: + let + newVal = builtins.getAttr key b; + mergedVal = + if builtins.hasAttr key acc then + deepMerge (builtins.getAttr key acc) newVal + else + newVal; + in + acc // (builtins.listToAttrs [ { name = key; value = mergedVal; } ]) + ) + a + (builtins.attrNames b) + else if builtins.isList a && builtins.isList b then + a ++ b + else + b; + fragments = builtins.attrValues (builtins.mapAttrs ( name: s: let @@ -26,7 +47,7 @@ substitute secretPath (s.configChanges or { }) ) secrets); in - builtins.foldl' (acc: v: acc // v) { } fragments; + builtins.foldl' deepMerge { } fragments; applyHmChanges = secrets: let @@ -40,6 +61,27 @@ else value; + deepMerge = a: b: + if builtins.isAttrs a && builtins.isAttrs b then + builtins.foldl' + (acc: key: + let + newVal = builtins.getAttr key b; + mergedVal = + if builtins.hasAttr key acc then + deepMerge (builtins.getAttr key acc) newVal + else + newVal; + in + acc // (builtins.listToAttrs [ { name = key; value = mergedVal; } ]) + ) + a + (builtins.attrNames b) + else if builtins.isList a && builtins.isList b then + a ++ b + else + b; + fragments = builtins.attrValues (builtins.mapAttrs ( name: s: let @@ -48,7 +90,7 @@ substitute secretPath (s.hmChanges or { }) ) secrets); - merged = builtins.foldl' (acc: v: acc // v) { } fragments; + merged = builtins.foldl' deepMerge { } fragments; in if merged == { } then { } diff --git a/flakes/secrets-bao/nixos-module.nix b/flakes/secrets-bao/nixos-module.nix index acac7a8f..48cc681d 100644 --- a/flakes/secrets-bao/nixos-module.nix +++ b/flakes/secrets-bao/nixos-module.nix @@ -390,6 +390,12 @@ in default = "/run/openbao/vault-agent.token"; }; + vaultAgentLogLevel = lib.mkOption { + type = lib.types.str; + default = "info"; + description = "Log level for `bao agent` (debug is very noisy)."; + }; + secrets = lib.mkOption { type = lib.types.attrsOf ( lib.types.submodule ( @@ -502,42 +508,40 @@ in } ) cfg.secrets; - systemd.services = lib.mkMerge [ - ( - lib.mkMerge ( - lib.concatLists ( - lib.mapAttrsToList ( - secretName: secret: - map ( - svc: - { - systemd.services.${svc} = { - unitConfig.ConditionPathExists = secret.path; - wants = lib.mkAfter [ "openbao-secret-${secretName}.path" ]; - after = lib.mkAfter [ "openbao-secret-${secretName}.path" ]; - }; - } - ) secret.hardDepend - ) cfg.secrets - ) - ) - ) - { - systemd.timers.zitadel-mint-jwt = { - description = "Refresh Zitadel JWT for OpenBao"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "30s"; - OnUnitActiveSec = "2m"; - Unit = "zitadel-mint-jwt.service"; - }; - }; + systemd.timers.zitadel-mint-jwt = { + description = "Refresh Zitadel JWT for OpenBao"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1min"; + OnUnitActiveSec = "10min"; + Unit = "zitadel-mint-jwt.service"; + }; + }; + systemd.services = lib.mkMerge [ + ( + lib.mkMerge ( + lib.concatLists ( + lib.mapAttrsToList ( + secretName: secret: + map ( + svc: { + ${svc} = { + unitConfig.ConditionPathExists = secret.path; + wants = lib.mkAfter [ "openbao-secret-${secretName}.path" ]; + after = lib.mkAfter [ "openbao-secret-${secretName}.path" ]; + }; + } + ) secret.hardDepend + ) cfg.secrets + ) + ) + ) + { + zitadel-mint-jwt = { + description = "Mint Zitadel access token (JWT) for OpenBao"; - zitadel-mint-jwt = { - description = "Mint Zitadel access token (JWT) for OpenBao"; - after = [ "network-online.target" "nss-lookup.target" @@ -634,7 +638,12 @@ in trap '${pkgs.coreutils}/bin/rm -f "$tmp"' EXIT ${pkgs.coreutils}/bin/printf '%s' "$jwt" > "$tmp" - # In-place update so the agent's file watcher sees changes. + if [ -s "${cfg.zitadelJwtPath}" ] && ${pkgs.coreutils}/bin/cmp -s "$tmp" "${cfg.zitadelJwtPath}"; then + echo "zitadel-mint-jwt: token unchanged; skipping" >&2 + exit 0 + fi + + # Update the token file (the agent watches it). ${pkgs.coreutils}/bin/cat "$tmp" > "${cfg.zitadelJwtPath}" ${pkgs.coreutils}/bin/chmod 0400 "${cfg.zitadelJwtPath}" || true ''; @@ -660,7 +669,7 @@ in RestartSec = "10s"; TimeoutStartSec = "30s"; UMask = "0077"; - ExecStart = "${pkgs.openbao}/bin/bao agent -log-level=debug -config=${mkAgentConfig}"; + ExecStart = "${pkgs.openbao}/bin/bao agent -log-level=${lib.escapeShellArg cfg.vaultAgentLogLevel} -config=${mkAgentConfig}"; }; }; } @@ -693,14 +702,14 @@ in ${lib.concatStringsSep "\n" ( map (svc: '' echo "Trying restart of ${svc} due to secret ${name}" >&2 - systemctl try-restart ${lib.escapeShellArg (svc + ".service")} || true + systemctl try-restart --no-block ${lib.escapeShellArg (svc + ".service")} || true '') secret.softDepend )} ${lib.concatStringsSep "\n" ( map (svc: '' echo "Starting ${svc} due to secret ${name}" >&2 - systemctl start ${lib.escapeShellArg (svc + ".service")} || true + systemctl start --no-block ${lib.escapeShellArg (svc + ".service")} || true '') secret.hardDepend )} ''; diff --git a/hosts/juni/flake.nix b/hosts/juni/flake.nix index 286c37fd..0f52c6ac 100644 --- a/hosts/juni/flake.nix +++ b/hosts/juni/flake.nix @@ -139,7 +139,7 @@ nix2bitbucket = { owner = "josh"; group = "users"; - hmChanges.programs.ssh.matchBlocks."bitbucket.com".identityFile = "$SECRET_PATH"; + hmChanges.programs.ssh.matchBlocks."bitbucket.org".identityFile = "$SECRET_PATH"; }; nix2gitforgejo = { owner = "josh";