ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactor systemd paths; add secrets-ready and jwt services

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2026-01-09 18:32:25 -06:00
parent 7f59cebc12
commit adca8e52f4
1 changed files with 164 additions and 79 deletions
Download patch file Download diff file Expand all files Collapse all files

97
flakes/secrets-bao/nixos-module.nix
View file

@ -494,7 +494,8 @@ in
"d /run/secrets 0711 root root - -"
];
systemd.paths = lib.mapAttrs' (
systemd.paths =
(lib.mapAttrs' (
name: secret:
lib.nameValuePair "openbao-secret-${name}" {
description = "Path unit for OpenBao secret ${name}";
@ -507,14 +508,39 @@ in
TriggerLimitBurst = 3;
};
}
) cfg.secrets;
) cfg.secrets)
// {
openbao-zitadel-jwt = {
description = "React to Zitadel JWT changes (restart vault-agent)";
wantedBy = [ "multi-user.target" ];
pathConfig = {
PathChanged = cfg.zitadelJwtPath;
Unit = "openbao-jwt-changed.service";
TriggerLimitIntervalSec = 30;
TriggerLimitBurst = 3;
};
};
openbao-secrets-ready = {
description = "Re-check OpenBao secrets readiness";
wantedBy = [ "multi-user.target" ];
pathConfig = {
PathChanged = "/run/secrets";
Unit = "openbao-secrets-ready.service";
TriggerLimitIntervalSec = 30;
TriggerLimitBurst = 3;
};
};
};
systemd.timers.zitadel-mint-jwt = {
description = "Refresh Zitadel JWT for OpenBao";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1min";
OnUnitActiveSec = "10min";
OnBootSec = "30s";
OnUnitInactiveSec = "10min";
Unit = "zitadel-mint-jwt.service";
};
};
@ -531,6 +557,7 @@ in
unitConfig.ConditionPathExists = secret.path;
wants = lib.mkAfter [ "openbao-secret-${secretName}.path" ];
after = lib.mkAfter [ "openbao-secret-${secretName}.path" ];
partOf = lib.mkAfter [ "openbao-secret-changed-${secretName}.service" ];
};
}
) secret.hardDepend
@ -539,10 +566,57 @@ in
)
)
{
openbao-secrets-ready = {
description = "OpenBao: all configured secrets present";
wantedBy = [ "multi-user.target" ];
wants = [ "vault-agent.service" ];
after = [ "vault-agent.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = "root";
Group = "root";
UMask = "0077";
ExecStart = pkgs.writeShellScript "openbao-secrets-ready" ''
#!/usr/bin/env bash
set -euo pipefail
${lib.concatStringsSep "\n" (
lib.mapAttrsToList (name: secret: ''
if [ ! -s ${lib.escapeShellArg secret.path} ]; then
echo "Missing secret: ${secret.path}" >&2
exit 1
fi
'') cfg.secrets
)}
echo "All configured OpenBao secrets present." >&2
'';
};
};
openbao-jwt-changed = {
description = "Restart vault-agent after Zitadel JWT refresh";
wants = [ "vault-agent.service" ];
after = [ "vault-agent.service" ];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
UMask = "0077";
ExecStart = pkgs.writeShellScript "openbao-jwt-changed" ''
#!/usr/bin/env bash
set -euo pipefail
systemctl try-restart --no-block vault-agent.service || true
'';
};
};
zitadel-mint-jwt = {
description = "Mint Zitadel access token (JWT) for OpenBao";
after = [
"network-online.target"
"nss-lookup.target"
@ -564,8 +638,11 @@ in
RestartSec = "30s";
TimeoutStartSec = "2min";
UMask = "0077";
StartLimitIntervalSec = 0;
ExecStart = pkgs.writeShellScript "zitadel-mint-jwt-service" ''
#!/usr/bin/env bash
set -euo pipefail
@ -654,8 +731,10 @@ in
vault-agent = {
description = "OpenBao agent for rendering secrets";
wantedBy = [ "multi-user.target" ];
after = [
"network-online.target"
"zitadel-mint-jwt.service"
];
wants = [
"network-online.target"
@ -666,13 +745,16 @@ in
Type = "simple";
User = "root";
Group = "root";
Restart = "on-failure";
Restart = "always";
RestartSec = "10s";
TimeoutStartSec = "30s";
UMask = "0077";
StartLimitIntervalSec = 0;
ExecStart = "${pkgs.openbao}/bin/bao agent -log-level=${lib.escapeShellArg cfg.vaultAgentLogLevel} -config=${mkAgentConfig}";
};
};
}
(lib.mapAttrs' (
@ -713,6 +795,9 @@ in
systemctl start --no-block ${lib.escapeShellArg (svc + ".service")} || true
'') secret.hardDepend
)}
# Mark overall readiness when all secrets exist.
systemctl try-restart --no-block openbao-secrets-ready.service || true
'';
};
}