ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Enhance zitadel-mint-jwt service: add restart, resolved, runtime dir

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2026-01-04 23:26:13 -06:00
parent 39e99de976
commit 99852eb7b9
4 changed files with 29 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

22
flakes/secrets-bao/nixos-module.nix
View file

@ -264,18 +264,25 @@ in
"NetworkManager-wait-online.service" "NetworkManager-wait-online.service"
"systemd-resolved.service" "systemd-resolved.service"
]; ];
wants = [ "network-online.target" "NetworkManager-wait-online.service" ]; wants = [ "network-online.target" "NetworkManager-wait-online.service" "systemd-resolved.service" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = "root"; User = "root";
Group = "root"; Group = "root";
Restart = "on-failure";
RestartSec = "30s";
UMask = "0077"; UMask = "0077";
ExecStart = pkgs.writeShellScript "zitadel-mint-jwt-service" '' ExecStart = pkgs.writeShellScript "zitadel-mint-jwt-service" ''
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
if [ ! -d "/run/openbao" ]; then
${pkgs.coreutils}/bin/mkdir -p /run/openbao
${pkgs.coreutils}/bin/chmod 0700 /run/openbao
fi
if [ ! -f "${cfg.zitadelKeyPath}" ]; then if [ ! -f "${cfg.zitadelKeyPath}" ]; then
echo "Missing Zitadel key JSON at ${cfg.zitadelKeyPath}" >&2 echo "Missing Zitadel key JSON at ${cfg.zitadelKeyPath}" >&2
exit 1 exit 1
@ -315,16 +322,23 @@ in
exit 0 exit 0
fi fi
dns_ok() {
${pkgs.systemd}/bin/resolvectl query ${zitadelHost} >/dev/null 2>&1 && return 0
${pkgs.glibc}/bin/getent hosts ${zitadelHost} >/dev/null 2>&1 && return 0
return 1
}
# Wait for DNS to be usable. # Wait for DNS to be usable.
for i in {1..120}; do for i in {1..180}; do
if ${pkgs.glibc}/bin/getent hosts ${zitadelHost} >/dev/null; then if dns_ok; then
break break
fi fi
sleep 1 sleep 1
done done
if ! ${pkgs.glibc}/bin/getent hosts ${zitadelHost} >/dev/null; then if ! dns_ok; then
echo "DNS still not ready for ${zitadelHost}" >&2 echo "DNS still not ready for ${zitadelHost}" >&2
${pkgs.systemd}/bin/resolvectl status >&2 || true
exit 1 exit 1
fi fi

4
hosts/juni/flake.lock generated
View file

@ -1310,8 +1310,8 @@
}, },
"secrets-bao": { "secrets-bao": {
"locked": { "locked": {
"lastModified": 1767587118, "lastModified": 1767590305,
"narHash": "sha256-O6QCLO/csAiO8e5ejB43m7PQc7+EePWkX39Z2CZdqZ4=", "narHash": "sha256-yXJ0TpPqsKznLn6bHpDpeSzIvL7T1lWxxhZ6cmAjqhQ=",
"path": "/home/josh/.config/nixos-config/flakes/secrets-bao", "path": "/home/josh/.config/nixos-config/flakes/secrets-bao",
"type": "path" "type": "path"
}, },

5
hosts/juni/flake.nix
View file

@ -14,7 +14,7 @@
# secrets-bao.url = "path:../../flakes/secrets-bao"; # secrets-bao.url = "path:../../flakes/secrets-bao";
# NOTE: using an absolute path so this works before you commit/push. # NOTE: using an absolute path so this works before you commit/push.
# After you add `flakes/secrets-bao` to the repo, switch to a git URL like your other flakes. # After you add `flakes/secrets-bao` to the repo, switch to a git URL like your other flakes.
secrets-bao.url = "path:/home/josh/.config/nixos-config/flakes/secrets-bao"; secrets-bao.url = "path:../../flakes/secrets-bao";
# flatpaks.url = "path:../../flakes/flatpaks"; # flatpaks.url = "path:../../flakes/flatpaks";
flatpaks.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/flatpaks"; flatpaks.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/flatpaks";
# beszel.url = "path:../../flakes/beszel"; # beszel.url = "path:../../flakes/beszel";
@ -191,10 +191,11 @@
networking.hostName = configuration_name; networking.hostName = configuration_name;
programs.nh.flake = "/home/${primaryUser}/.config/nixos-config/hosts/${config.networking.hostName}"; programs.nh.flake = "/home/${primaryUser}/.config/nixos-config/hosts/${config.networking.hostName}";
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
users.mutableUsers = false;
users.users = { users.users = {
"${primaryUser}" = { "${primaryUser}" = {
isNormalUser = true; isNormalUser = true;
initialPassword = "password1"; hashedPassword = "$y$j9T$b66ZAxtTo75paZx.mnXyK.$ej0eKS3Wx4488qDfjUJSP0nsUe5TBzw31VbXR19XrQ4";
extraGroups = [ extraGroups = [
"wheel" "wheel"
"networkmanager" "networkmanager"

14
hosts/juni/impermanence.nix
View file

@ -22,14 +22,12 @@
files = [ files = [
"/machine-key.json" "/machine-key.json"
"/etc/machine-id" "/etc/machine-id"
"/etc/resolv.conf" # TODO describe # NOTE: if you want mutable passwords across reboots, persist these,
"/etc/shadow" # keep passwords # but you must do a one-time migration (see notes in chat).
"/etc/group" # "/etc/shadow"
"/etc/passwd" # "/etc/group"
"/etc/sudoers" # "/etc/passwd"
"/etc/localtime" # "/etc/sudoers"
"/etc/timezone"
"/etc/adjtime"
]; ];
users."${primaryUser}" = { users."${primaryUser}" = {
directories = [ directories = [