Enhance zitadel-mint-jwt service: add restart, resolved, runtime dir

2026-01-04 23:26:13 -06:00 · 2026-01-04 23:26:13 -06:00 · 99852eb7b9
commit 99852eb7b9
parent 39e99de976
4 changed files with 29 additions and 16 deletions
--- a/hosts/juni/flake.lock
+++ b/hosts/juni/flake.lock
@ -1310,8 +1310,8 @@
    },
    "secrets-bao": {
      "locked": {
-        "lastModified": 1767587118,
-        "narHash": "sha256-O6QCLO/csAiO8e5ejB43m7PQc7+EePWkX39Z2CZdqZ4=",
+        "lastModified": 1767590305,
+        "narHash": "sha256-yXJ0TpPqsKznLn6bHpDpeSzIvL7T1lWxxhZ6cmAjqhQ=",
        "path": "/home/josh/.config/nixos-config/flakes/secrets-bao",
        "type": "path"
      },
--- a/hosts/juni/flake.nix
+++ b/hosts/juni/flake.nix
@ -14,7 +14,7 @@
    # secrets-bao.url = "path:../../flakes/secrets-bao";
    # NOTE: using an absolute path so this works before you commit/push.
    # After you add `flakes/secrets-bao` to the repo, switch to a git URL like your other flakes.
-    secrets-bao.url = "path:/home/josh/.config/nixos-config/flakes/secrets-bao";
+    secrets-bao.url = "path:../../flakes/secrets-bao";
    # flatpaks.url = "path:../../flakes/flatpaks";
    flatpaks.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/flatpaks";
    # beszel.url = "path:../../flakes/beszel";
@ -191,10 +191,11 @@
                  networking.hostName = configuration_name;
                  programs.nh.flake = "/home/${primaryUser}/.config/nixos-config/hosts/${config.networking.hostName}";
                  nixpkgs.config.allowUnfree = true;
+                  users.mutableUsers = false;
                  users.users = {
                    "${primaryUser}" = {
                      isNormalUser = true;
-                      initialPassword = "password1";
+                      hashedPassword = "$y$j9T$b66ZAxtTo75paZx.mnXyK.$ej0eKS3Wx4488qDfjUJSP0nsUe5TBzw31VbXR19XrQ4";
                      extraGroups = [
                        "wheel"
                        "networkmanager"
--- a/hosts/juni/impermanence.nix
+++ b/hosts/juni/impermanence.nix
@ -22,14 +22,12 @@
    files = [
      "/machine-key.json"
      "/etc/machine-id"
-      "/etc/resolv.conf" # TODO describe
-      "/etc/shadow" # keep passwords
-      "/etc/group"
-      "/etc/passwd"
-      "/etc/sudoers"
-      "/etc/localtime"
-      "/etc/timezone"
-      "/etc/adjtime"
+      # NOTE: if you want mutable passwords across reboots, persist these,
+      # but you must do a one-time migration (see notes in chat).
+      # "/etc/shadow"
+      # "/etc/group"
+      # "/etc/passwd"
+      # "/etc/sudoers"
    ];
    users."${primaryUser}" = {
      directories = [