Persist OpenBao secrets in /var/lib and make readiness non-blocking

2026-01-27 17:28:39 -06:00 · 2026-01-27 17:28:39 -06:00 · 15fccd2ff4
commit 15fccd2ff4
parent 8b54a94c54
6 changed files with 123 additions and 85 deletions
--- a/hosts/h001/flake.nix
+++ b/hosts/h001/flake.nix
@ -90,7 +90,7 @@
                      owner = "root";
                      group = "root";
                      mode = "0400";
-                      path = "/run/secrets/litellm.env";
+                      # Uses default: /var/lib/openbao-secrets/litellm-env
                      softDepend = [ "litellm" ];
                      template = ''
                        {{- with secret "kv/data/machines/home/openrouter" -}}
--- a/hosts/h001/mods/litellm.nix
+++ b/hosts/h001/mods/litellm.nix
@ -29,7 +29,7 @@ in
      host = "0.0.0.0";
      openFirewall = false;
      package = pkgsLitellm.litellm;
-      environmentFile = "/run/secrets/litellm.env";
+      environmentFile = "/var/lib/openbao-secrets/litellm-env";
      environment = {
        SCARF_NO_ANALYTICS = "True";
        DO_NOT_TRACK = "True";
--- a/hosts/juni/flake.nix
+++ b/hosts/juni/flake.nix
@ -349,7 +349,7 @@
                          exit 0
                        fi

-                        secret="/run/secrets/atuin-key-josh"
+                        secret="/var/lib/openbao-secrets/atuin-key-josh"
                        if [ ! -s "$secret" ]; then
                          echo "Missing atuin secret at $secret" >&2
                          exit 1
--- a/hosts/juni/impermanence.nix
+++ b/hosts/juni/impermanence.nix
@ -27,7 +27,7 @@

      # bao secrets
      "/run/openbao"
-      "/run/secrets"
+      "/var/lib/openbao-secrets"
    ];
    files = [
      "/machine-key.json"