diff --git a/flakes/secrets-bao/nixos-module.nix b/flakes/secrets-bao/nixos-module.nix index 4f87af58..b044760b 100644 --- a/flakes/secrets-bao/nixos-module.nix +++ b/flakes/secrets-bao/nixos-module.nix @@ -264,18 +264,25 @@ in "NetworkManager-wait-online.service" "systemd-resolved.service" ]; - wants = [ "network-online.target" "NetworkManager-wait-online.service" ]; + wants = [ "network-online.target" "NetworkManager-wait-online.service" "systemd-resolved.service" ]; serviceConfig = { Type = "oneshot"; User = "root"; Group = "root"; + Restart = "on-failure"; + RestartSec = "30s"; UMask = "0077"; ExecStart = pkgs.writeShellScript "zitadel-mint-jwt-service" '' #!/usr/bin/env bash set -euo pipefail + if [ ! -d "/run/openbao" ]; then + ${pkgs.coreutils}/bin/mkdir -p /run/openbao + ${pkgs.coreutils}/bin/chmod 0700 /run/openbao + fi + if [ ! -f "${cfg.zitadelKeyPath}" ]; then echo "Missing Zitadel key JSON at ${cfg.zitadelKeyPath}" >&2 exit 1 @@ -315,16 +322,23 @@ in exit 0 fi + dns_ok() { + ${pkgs.systemd}/bin/resolvectl query ${zitadelHost} >/dev/null 2>&1 && return 0 + ${pkgs.glibc}/bin/getent hosts ${zitadelHost} >/dev/null 2>&1 && return 0 + return 1 + } + # Wait for DNS to be usable. - for i in {1..120}; do - if ${pkgs.glibc}/bin/getent hosts ${zitadelHost} >/dev/null; then + for i in {1..180}; do + if dns_ok; then break fi sleep 1 done - if ! ${pkgs.glibc}/bin/getent hosts ${zitadelHost} >/dev/null; then + if ! dns_ok; then echo "DNS still not ready for ${zitadelHost}" >&2 + ${pkgs.systemd}/bin/resolvectl status >&2 || true exit 1 fi diff --git a/hosts/juni/flake.lock b/hosts/juni/flake.lock index 3a1fb62e..a25de72e 100644 --- a/hosts/juni/flake.lock +++ b/hosts/juni/flake.lock @@ -1310,8 +1310,8 @@ }, "secrets-bao": { "locked": { - "lastModified": 1767587118, - "narHash": "sha256-O6QCLO/csAiO8e5ejB43m7PQc7+EePWkX39Z2CZdqZ4=", + "lastModified": 1767590305, + "narHash": "sha256-yXJ0TpPqsKznLn6bHpDpeSzIvL7T1lWxxhZ6cmAjqhQ=", "path": "/home/josh/.config/nixos-config/flakes/secrets-bao", "type": "path" }, diff --git a/hosts/juni/flake.nix b/hosts/juni/flake.nix index efff5d1f..cd72a2ba 100644 --- a/hosts/juni/flake.nix +++ b/hosts/juni/flake.nix @@ -14,7 +14,7 @@ # secrets-bao.url = "path:../../flakes/secrets-bao"; # NOTE: using an absolute path so this works before you commit/push. # After you add `flakes/secrets-bao` to the repo, switch to a git URL like your other flakes. - secrets-bao.url = "path:/home/josh/.config/nixos-config/flakes/secrets-bao"; + secrets-bao.url = "path:../../flakes/secrets-bao"; # flatpaks.url = "path:../../flakes/flatpaks"; flatpaks.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/flatpaks"; # beszel.url = "path:../../flakes/beszel"; @@ -191,10 +191,11 @@ networking.hostName = configuration_name; programs.nh.flake = "/home/${primaryUser}/.config/nixos-config/hosts/${config.networking.hostName}"; nixpkgs.config.allowUnfree = true; + users.mutableUsers = false; users.users = { "${primaryUser}" = { isNormalUser = true; - initialPassword = "password1"; + hashedPassword = "$y$j9T$b66ZAxtTo75paZx.mnXyK.$ej0eKS3Wx4488qDfjUJSP0nsUe5TBzw31VbXR19XrQ4"; extraGroups = [ "wheel" "networkmanager" diff --git a/hosts/juni/impermanence.nix b/hosts/juni/impermanence.nix index 9564267b..9b867bfd 100644 --- a/hosts/juni/impermanence.nix +++ b/hosts/juni/impermanence.nix @@ -22,14 +22,12 @@ files = [ "/machine-key.json" "/etc/machine-id" - "/etc/resolv.conf" # TODO describe - "/etc/shadow" # keep passwords - "/etc/group" - "/etc/passwd" - "/etc/sudoers" - "/etc/localtime" - "/etc/timezone" - "/etc/adjtime" + # NOTE: if you want mutable passwords across reboots, persist these, + # but you must do a one-time migration (see notes in chat). + # "/etc/shadow" + # "/etc/group" + # "/etc/passwd" + # "/etc/sudoers" ]; users."${primaryUser}" = { directories = [