ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update bao secrets

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2026-01-12 09:48:17 -06:00
parent d77db080b9
commit 512bd5896c
1 changed files with 62 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

118
flakes/secrets-bao/nixos-module.nix
View file

@ -574,7 +574,7 @@ in
map ( map (
svc: { svc: {
${svc} = { ${svc} = {
unitConfig.ConditionPathExists = secret.path; unitConfig.ConditionFileNotEmpty = secret.path;
wants = lib.mkAfter [ "openbao-secret-${secretName}.path" ]; wants = lib.mkAfter [ "openbao-secret-${secretName}.path" ];
after = lib.mkAfter [ "openbao-secret-${secretName}.path" ]; after = lib.mkAfter [ "openbao-secret-${secretName}.path" ];
partOf = lib.mkAfter [ "openbao-secret-changed-${secretName}.service" ]; partOf = lib.mkAfter [ "openbao-secret-changed-${secretName}.service" ];
@ -634,34 +634,36 @@ in
}; };
}; };
zitadel-mint-jwt = { zitadel-mint-jwt = {
description = "Mint Zitadel access token (JWT) for OpenBao"; description = "Mint Zitadel access token (JWT) for OpenBao";
after = [ startLimitIntervalSec = 0;
"network-online.target"
"nss-lookup.target"
"NetworkManager-wait-online.service"
"systemd-resolved.service"
"time-sync.target"
];
wants = [
"network-online.target"
"NetworkManager-wait-online.service"
"systemd-resolved.service"
];
serviceConfig = { after = [
Type = "oneshot"; "network-online.target"
User = "root"; "nss-lookup.target"
Group = "root"; "NetworkManager-wait-online.service"
Restart = "on-failure"; "systemd-resolved.service"
RestartSec = "30s"; "time-sync.target"
TimeoutStartSec = "2min"; ];
UMask = "0077"; wants = [
StartLimitIntervalSec = 0; "network-online.target"
"NetworkManager-wait-online.service"
"systemd-resolved.service"
];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
Restart = "on-failure";
RestartSec = "30s";
TimeoutStartSec = "2min";
UMask = "0077";
ExecStart = pkgs.writeShellScript "zitadel-mint-jwt-service" '' ExecStart = pkgs.writeShellScript "zitadel-mint-jwt-service" ''
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
@ -698,14 +700,16 @@ in
local payload_b64 payload_json exp now local payload_b64 payload_json exp now
payload_b64="$(${pkgs.coreutils}/bin/printf '%s' "$token" | ${pkgs.coreutils}/bin/cut -d. -f2)" payload_b64="$(${pkgs.coreutils}/bin/printf '%s' "$token" | ${pkgs.coreutils}/bin/cut -d. -f2)"
payload_b64="$(${pkgs.coreutils}/bin/printf '%s' "$payload_b64" | ${pkgs.gnused}/bin/sed -e 's/-/+/g' -e 's/_/\//g')"
case $((${pkgs.coreutils}/bin/printf '%s' "$payload_b64" | ${pkgs.coreutils}/bin/wc -c)) in if [ -z "$payload_b64" ]; then
*1) payload_b64="$payload_b64=" ;; return 1
*2) payload_b64="$payload_b64==" ;; fi
*3) : ;;
*0) : ;; # base64url -> base64 (+ padding)
esac payload_b64="$(${pkgs.coreutils}/bin/printf '%s' "$payload_b64" | ${pkgs.gnused}/bin/sed -e 's/-/+/g' -e 's/_/\//g')"
while [ $(( ''${#payload_b64} % 4 )) -ne 0 ]; do
payload_b64="''${payload_b64}="
done
payload_json="$(${pkgs.coreutils}/bin/printf '%s' "$payload_b64" | ${pkgs.coreutils}/bin/base64 -d 2>/dev/null || true)" payload_json="$(${pkgs.coreutils}/bin/printf '%s' "$payload_b64" | ${pkgs.coreutils}/bin/base64 -d 2>/dev/null || true)"
exp="$(${pkgs.jq}/bin/jq -r '.exp // empty' <<<"$payload_json" 2>/dev/null || true)" exp="$(${pkgs.jq}/bin/jq -r '.exp // empty' <<<"$payload_json" 2>/dev/null || true)"
@ -736,7 +740,7 @@ in
trap '${pkgs.coreutils}/bin/rm -f "$tmp"' EXIT trap '${pkgs.coreutils}/bin/rm -f "$tmp"' EXIT
${pkgs.coreutils}/bin/printf '%s' "$jwt" > "$tmp" ${pkgs.coreutils}/bin/printf '%s' "$jwt" > "$tmp"
if [ -s "${cfg.zitadelJwtPath}" ] && ${pkgs.coreutils}/bin/cmp -s "$tmp" "${cfg.zitadelJwtPath}"; then if [ -s "${cfg.zitadelJwtPath}" ] && ${pkgs.diffutils}/bin/cmp -s "$tmp" "${cfg.zitadelJwtPath}"; then
echo "zitadel-mint-jwt: token unchanged; skipping" >&2 echo "zitadel-mint-jwt: token unchanged; skipping" >&2
exit 0 exit 0
fi fi
@ -748,32 +752,34 @@ in
}; };
}; };
vault-agent = { vault-agent = {
description = "OpenBao agent for rendering secrets"; description = "OpenBao agent for rendering secrets";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ startLimitIntervalSec = 0;
"network-online.target"
"zitadel-mint-jwt.service"
];
wants = [
"network-online.target"
"zitadel-mint-jwt.service"
];
serviceConfig = { after = [
Type = "simple"; "network-online.target"
User = "root"; "zitadel-mint-jwt.service"
Group = "root"; ];
Restart = "always"; wants = [
RestartSec = "10s"; "network-online.target"
TimeoutStartSec = "30s"; "zitadel-mint-jwt.service"
UMask = "0077"; ];
StartLimitIntervalSec = 0;
ExecStart = "${pkgs.openbao}/bin/bao agent -log-level=${lib.escapeShellArg cfg.vaultAgentLogLevel} -config=${mkAgentConfig}"; serviceConfig = {
}; Type = "simple";
User = "root";
Group = "root";
Restart = "always";
RestartSec = "10s";
TimeoutStartSec = "30s";
UMask = "0077";
ExecStart = "${pkgs.openbao}/bin/bao agent -log-level=${lib.escapeShellArg cfg.vaultAgentLogLevel} -config=${mkAgentConfig}";
};
};
};
} }