From 6dea74a2a8d17ba45474000ff697c46167c268a5 Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Joshua Bell)" <ringofstorms@gmail.com>
Date: Mon, 5 Jan 2026 00:22:03 -0600
Subject: [PATCH] Add ExecStartPre to wait for Zitadel JWT and update
 flake.lock paths

---
 flakes/secrets-bao/nixos-module.nix | 25 +++++++++++++++++++++++--
 hosts/juni/flake.lock               |  9 ++++-----
 hosts/lio/flake.lock                |  8 ++++----
 3 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/flakes/secrets-bao/nixos-module.nix b/flakes/secrets-bao/nixos-module.nix
index b044760b..a8b6144d 100644
--- a/flakes/secrets-bao/nixos-module.nix
+++ b/flakes/secrets-bao/nixos-module.nix
@@ -371,8 +371,10 @@ in
             "network-online.target"
             "zitadel-mint-jwt.service"
           ];
-          wants = [ "network-online.target" ];
-          requires = [ "zitadel-mint-jwt.service" ];
+          wants = [
+            "network-online.target"
+            "zitadel-mint-jwt.service"
+          ];
 
           serviceConfig = {
             Type = "simple";
@@ -382,6 +384,25 @@ in
             RestartSec = "30s";
 
             UMask = "0077";
+            ExecStartPre = pkgs.writeShellScript "openbao-wait-jwt" ''
+              #!/usr/bin/env bash
+              set -euo pipefail
+
+              for i in {1..180}; do
+                if [ -s "${cfg.zitadelJwtPath}" ]; then
+                  jwt="$(cat "${cfg.zitadelJwtPath}")"
+                  # very cheap sanity check: JWT has at least 2 dots
+                  if ${pkgs.gnugrep}/bin/grep -q '\\..*\\.' <<<"$jwt"; then
+                    exit 0
+                  fi
+                fi
+                sleep 1
+              done
+
+              echo "Missing or invalid Zitadel JWT at ${cfg.zitadelJwtPath}" >&2
+              exit 1
+            '';
+
             ExecStart = "${pkgs.openbao}/bin/bao agent -config=${mkAgentConfig}";
           };
         };
diff --git a/hosts/juni/flake.lock b/hosts/juni/flake.lock
index a25de72e..86ad66fb 100644
--- a/hosts/juni/flake.lock
+++ b/hosts/juni/flake.lock
@@ -1310,15 +1310,14 @@
     },
     "secrets-bao": {
       "locked": {
-        "lastModified": 1767590305,
-        "narHash": "sha256-yXJ0TpPqsKznLn6bHpDpeSzIvL7T1lWxxhZ6cmAjqhQ=",
-        "path": "/home/josh/.config/nixos-config/flakes/secrets-bao",
+        "path": "../../flakes/secrets-bao",
         "type": "path"
       },
       "original": {
-        "path": "/home/josh/.config/nixos-config/flakes/secrets-bao",
+        "path": "../../flakes/secrets-bao",
         "type": "path"
-      }
+      },
+      "parent": []
     }
   },
   "root": "root",
diff --git a/hosts/lio/flake.lock b/hosts/lio/flake.lock
index 87f18a7c..1041c90c 100644
--- a/hosts/lio/flake.lock
+++ b/hosts/lio/flake.lock
@@ -64,11 +64,11 @@
     "common": {
       "locked": {
         "dir": "flakes/common",
-        "lastModified": 1767587784,
-        "narHash": "sha256-xHZwNiDUshkQg1yUu+RFdkFAa8jj0XkAFpZjuUqi0wo=",
+        "lastModified": 1767592562,
+        "narHash": "sha256-MoSZeW3agnrU15NYk6pjfKFbgsXnYoLaOMhsL3zNHD4=",
         "ref": "refs/heads/master",
-        "rev": "effa01310bfe91ef7a39a035f021a0dc4e345e58",
-        "revCount": 1042,
+        "rev": "8b54ce4b3799ac48b2093018504eccad2852c0f7",
+        "revCount": 1050,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },