attempt auto unseal
This commit is contained in:
RingOfStorms (Joshua Bell)
parent
d62320be32
commit
1b4a53b10e
1 changed files with 68 additions and 4 deletions
|
|
@ -1,10 +1,12 @@
|
||||||
{
|
{
|
||||||
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
{
|
{
|
||||||
environment.variables = {
|
environment.variables = {
|
||||||
BAO_ADDR = "http://localhost:8200";
|
# For CLI
|
||||||
|
BAO_ADDR = "http://127.0.0.1:8200";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
|
|
@ -46,9 +48,9 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
# Ensure the data directory exists with proper permissions
|
# Ensure the data directory exists with proper permissions
|
||||||
systemd.tmpfiles.rules = [
|
# systemd.tmpfiles.rules = [
|
||||||
"d /var/lib/openbao 0700 openbao openbao - -"
|
# "d /var/lib/openbao 0700 openbao openbao - -"
|
||||||
];
|
# ];
|
||||||
|
|
||||||
# Additional systemd service hardening
|
# Additional systemd service hardening
|
||||||
systemd.services.openbao = {
|
systemd.services.openbao = {
|
||||||
|
|
@ -65,4 +67,66 @@
|
||||||
LimitNPROC = 4096;
|
LimitNPROC = 4096;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# AUTO UNSEAL
|
||||||
|
systemd.services.openbao-auto-unseal = {
|
||||||
|
description = "Auto-unseal OpenBao using stored unseal key shares";
|
||||||
|
after = [ "openbao.service" ];
|
||||||
|
wants = [ "openbao.service" ];
|
||||||
|
# Run once at boot; doesn't restart
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
# run as the same user as the openbao service
|
||||||
|
# User = config.systemd.services.openbao.User;
|
||||||
|
# Group = config.systemd.services.openbao.Group;
|
||||||
|
# /run/keys/... are usually readable by root only; you might prefer to run as root
|
||||||
|
User = "root";
|
||||||
|
Group = "root";
|
||||||
|
|
||||||
|
# Only needs network access to 127.0.0.1
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
ProtectHome = true;
|
||||||
|
ReadOnlyPaths = [ "/" ];
|
||||||
|
# allow reading /run/keys and talking to localhost
|
||||||
|
ReadWritePaths = [ "/run" ];
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
|
||||||
|
ExecStart = pkgs.writeShellScript "openbao-auto-unseal" ''
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
export BAO_ADDR="http://127.0.0.1:8200"
|
||||||
|
|
||||||
|
# Wait for OpenBao to be listening
|
||||||
|
# (systemd "after" ensures start order but not readiness)
|
||||||
|
for i in {1..30}; do
|
||||||
|
if bao status >/dev/null 2>&1; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
|
||||||
|
# If it's already unsealed, exit
|
||||||
|
if bao status 2>/dev/null | grep -q 'sealed *false'; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Apply each unseal key share; ignore "already unsealed" errors
|
||||||
|
# TODO change this back to /run/agenix instead of /root/bao-keys
|
||||||
|
for key in /root/bao-keys/openbao-unseal-*; do
|
||||||
|
if [ -f "$key" ]; then
|
||||||
|
bao operator unseal "$(cat "$key")" || true
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Check final status; fail if still sealed
|
||||||
|
if bao status 2>/dev/null | grep -q 'sealed *true'; then
|
||||||
|
echo "OpenBao is still sealed after applying unseal keys" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue