ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Enhance zitadel-mint-jwt service: add restart, resolved, runtime dir

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2026-01-04 23:26:13 -06:00
parent 39e99de976
commit 99852eb7b9
4 changed files with 29 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

22
flakes/secrets-bao/nixos-module.nix
View file

@ -264,18 +264,25 @@ in
"NetworkManager-wait-online.service"
"systemd-resolved.service"
];
wants = [ "network-online.target" "NetworkManager-wait-online.service" ];
wants = [ "network-online.target" "NetworkManager-wait-online.service" "systemd-resolved.service" ];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
Restart = "on-failure";
RestartSec = "30s";
UMask = "0077";
ExecStart = pkgs.writeShellScript "zitadel-mint-jwt-service" ''
#!/usr/bin/env bash
set -euo pipefail
if [ ! -d "/run/openbao" ]; then
${pkgs.coreutils}/bin/mkdir -p /run/openbao
${pkgs.coreutils}/bin/chmod 0700 /run/openbao
fi
if [ ! -f "${cfg.zitadelKeyPath}" ]; then
echo "Missing Zitadel key JSON at ${cfg.zitadelKeyPath}" >&2
exit 1
@ -315,16 +322,23 @@ in
exit 0
fi
dns_ok() {
${pkgs.systemd}/bin/resolvectl query ${zitadelHost} >/dev/null 2>&1 && return 0
${pkgs.glibc}/bin/getent hosts ${zitadelHost} >/dev/null 2>&1 && return 0
return 1
}
# Wait for DNS to be usable.
for i in {1..120}; do
if ${pkgs.glibc}/bin/getent hosts ${zitadelHost} >/dev/null; then
for i in {1..180}; do
if dns_ok; then
break
fi
sleep 1
done
if ! ${pkgs.glibc}/bin/getent hosts ${zitadelHost} >/dev/null; then
if ! dns_ok; then
echo "DNS still not ready for ${zitadelHost}" >&2
${pkgs.systemd}/bin/resolvectl status >&2 || true
exit 1
fi

4
hosts/juni/flake.lock generated
View file

@ -1310,8 +1310,8 @@
},
"secrets-bao": {
"locked": {
"lastModified": 1767587118,
"narHash": "sha256-O6QCLO/csAiO8e5ejB43m7PQc7+EePWkX39Z2CZdqZ4=",
"lastModified": 1767590305,
"narHash": "sha256-yXJ0TpPqsKznLn6bHpDpeSzIvL7T1lWxxhZ6cmAjqhQ=",
"path": "/home/josh/.config/nixos-config/flakes/secrets-bao",
"type": "path"
},

5
hosts/juni/flake.nix
View file

@ -14,7 +14,7 @@
# secrets-bao.url = "path:../../flakes/secrets-bao";
# NOTE: using an absolute path so this works before you commit/push.
# After you add `flakes/secrets-bao` to the repo, switch to a git URL like your other flakes.
secrets-bao.url = "path:/home/josh/.config/nixos-config/flakes/secrets-bao";
secrets-bao.url = "path:../../flakes/secrets-bao";
# flatpaks.url = "path:../../flakes/flatpaks";
flatpaks.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/flatpaks";
# beszel.url = "path:../../flakes/beszel";
@ -191,10 +191,11 @@
networking.hostName = configuration_name;
programs.nh.flake = "/home/${primaryUser}/.config/nixos-config/hosts/${config.networking.hostName}";
nixpkgs.config.allowUnfree = true;
users.mutableUsers = false;
users.users = {
"${primaryUser}" = {
isNormalUser = true;
initialPassword = "password1";
hashedPassword = "$y$j9T$b66ZAxtTo75paZx.mnXyK.$ej0eKS3Wx4488qDfjUJSP0nsUe5TBzw31VbXR19XrQ4";
extraGroups = [
"wheel"
"networkmanager"

14
hosts/juni/impermanence.nix
View file

@ -22,14 +22,12 @@
files = [
"/machine-key.json"
"/etc/machine-id"
"/etc/resolv.conf" # TODO describe
"/etc/shadow" # keep passwords
"/etc/group"
"/etc/passwd"
"/etc/sudoers"
"/etc/localtime"
"/etc/timezone"
"/etc/adjtime"
# NOTE: if you want mutable passwords across reboots, persist these,
# but you must do a one-time migration (see notes in chat).
# "/etc/shadow"
# "/etc/group"
# "/etc/passwd"
# "/etc/sudoers"
];
users."${primaryUser}" = {
directories = [