From b7330b4c09e7f62e83ea30959dab5c2230041847 Mon Sep 17 00:00:00 2001 From: "RingOfStorms (Joshua Bell)" Date: Mon, 8 Dec 2025 10:55:35 -0600 Subject: [PATCH] openbao auto unseal --- flakes/common/nix_modules/timezone_auto.nix | 13 --- flakes/common/nix_modules/timezone_chi.nix | 3 + hosts/h001/flake.lock | 110 +++++++++----------- hosts/h001/flake.nix | 36 +++---- hosts/h001/mods/openbao.nix | 65 ++++++++---- 5 files changed, 113 insertions(+), 114 deletions(-) create mode 100644 flakes/common/nix_modules/timezone_chi.nix diff --git a/flakes/common/nix_modules/timezone_auto.nix b/flakes/common/nix_modules/timezone_auto.nix index d7c0b580..8b54b213 100644 --- a/flakes/common/nix_modules/timezone_auto.nix +++ b/flakes/common/nix_modules/timezone_auto.nix @@ -1,17 +1,4 @@ -{ - ... -}: { time.timeZone = null; services.automatic-timezoned.enable = true; - - # Add a polkit rule so automatic-timezoned can change timezone - security.polkit.extraConfig = '' - polkit.addRule(function(action, subject) { - if (action.id == "org.freedesktop.timedate1.set-timezone" && - subject.isInGroup("wheel")) { - return polkit.Result.YES; - } - }); - ''; } diff --git a/flakes/common/nix_modules/timezone_chi.nix b/flakes/common/nix_modules/timezone_chi.nix new file mode 100644 index 00000000..44c287f8 --- /dev/null +++ b/flakes/common/nix_modules/timezone_chi.nix @@ -0,0 +1,3 @@ +{ + time.timeZone = "America/Chicago"; +} diff --git a/hosts/h001/flake.lock b/hosts/h001/flake.lock index f67047b5..d6641f26 100644 --- a/hosts/h001/flake.lock +++ b/hosts/h001/flake.lock @@ -79,20 +79,14 @@ }, "common": { "locked": { - "dir": "flakes/common", - "lastModified": 1764895175, - "narHash": "sha256-JnPCzQPJNIMeSB6FLgJ2N91p4smErwZSxpbsfmUEqfA=", - "ref": "refs/heads/master", - "rev": "457c53203dcc145b1b6df19be400ad426b9e06f0", - "revCount": 846, - "type": "git", - "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" + "path": "../../flakes/common", + "type": "path" }, "original": { - "dir": "flakes/common", - "type": "git", - "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" - } + "path": "../../flakes/common", + "type": "path" + }, + "parent": [] }, "crane": { "locked": { @@ -295,11 +289,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1764677808, - "narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=", + "lastModified": 1764983851, + "narHash": "sha256-y7RPKl/jJ/KAP/VKLMghMgXTlvNIJMHKskl8/Uuar7o=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1aab89277eb2d87823d5b69bae631a2496cff57a", + "rev": "d9bc5c7dceb30d8d6fafa10aeb6aa8a48c218454", "type": "github" }, "original": { @@ -311,11 +305,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1764040936, - "narHash": "sha256-d1NFBVGQZ/Xb0pMviuzenqrfXymJs0m/pKrEg1tDGsE=", + "lastModified": 1764776358, + "narHash": "sha256-MxXSCRiV7DI5U3Ra1UxVJTTUyKsONAE8+8QdSXsGIhA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b9491974f02dadeb5acca22649ccbd89a6a81afb", + "rev": "0b8cec1eb2241336971009cdd4af641b930d0d97", "type": "github" }, "original": { @@ -407,11 +401,11 @@ "nvim_plugin-MeanderingProgrammer/render-markdown.nvim": { "flake": false, "locked": { - "lastModified": 1763430554, - "narHash": "sha256-0DwPuzqR+7R4lJFQ9f2xN26YhdQKg85Hw6+bPvloZoc=", + "lastModified": 1764732647, + "narHash": "sha256-jya61X22LbcT4hpeio3qE/oOI/lvqKpf09oGEHHvQdA=", "owner": "MeanderingProgrammer", "repo": "render-markdown.nvim", - "rev": "6e0e8902dac70fecbdd8ce557d142062a621ec38", + "rev": "b2b135347e299ffbf7f4123fb7811899b0c9f4b8", "type": "github" }, "original": { @@ -487,11 +481,11 @@ "nvim_plugin-b0o/schemastore.nvim": { "flake": false, "locked": { - "lastModified": 1763748041, - "narHash": "sha256-4KKj1zp+5Z2zbC31hpvw73BIuf4dW7rimepGOggmUp4=", + "lastModified": 1764655248, + "narHash": "sha256-9nUBzwbMkzLySMW/Y0EkFpvFgHeW5YDQ3J3moVQarjQ=", "owner": "b0o", "repo": "schemastore.nvim", - "rev": "aa25399c48236b77af71d4b64cdf157d2ba4e990", + "rev": "e9c00ea7813006dfa29f35c174f83f0184d45a93", "type": "github" }, "original": { @@ -503,11 +497,11 @@ "nvim_plugin-catppuccin/nvim": { "flake": false, "locked": { - "lastModified": 1763995197, - "narHash": "sha256-i4WmQzSNWeR5rh61yonzR55yyklJ3xOL8D/XyEnDa+E=", + "lastModified": 1764084803, + "narHash": "sha256-ds+Rm9H00s++RC1dH4OQpCg1FXSm4HuwDGzr4ah0YBU=", "owner": "catppuccin", "repo": "nvim", - "rev": "180e0435707cf1fed09a98a9739e5807d92b69be", + "rev": "ce4a8e0d5267e67056f9f4dcf6cb1d0933c8ca00", "type": "github" }, "original": { @@ -519,11 +513,11 @@ "nvim_plugin-chrisgrieser/nvim-early-retirement": { "flake": false, "locked": { - "lastModified": 1764013541, - "narHash": "sha256-Mzz1y7YYTYUWv9S/Yr26to7AuDCZ+9asHa3qzDz06D0=", + "lastModified": 1764104935, + "narHash": "sha256-mvs0uIoxidy3jfC6oymwhaZVRbJrW+/kuMcIpR8TI6M=", "owner": "chrisgrieser", "repo": "nvim-early-retirement", - "rev": "6fb7d87a965e439cfb4e04a5c0e5038010fc015b", + "rev": "cd29cf40af7473530a8598245ba1d348fd5e1fa0", "type": "github" }, "original": { @@ -695,11 +689,11 @@ "nvim_plugin-lewis6991/gitsigns.nvim": { "flake": false, "locked": { - "lastModified": 1763280728, - "narHash": "sha256-w2/osNJwbtmUxxQIXBsyqMYrvyNUaVzXrUNGYqGmzi4=", + "lastModified": 1764322768, + "narHash": "sha256-w3Q7nMFEbcjP6RmSTONg2Nw1dBXDEHnjQ69FuAPJRD8=", "owner": "lewis6991", "repo": "gitsigns.nvim", - "rev": "cdafc320f03f2572c40ab93a4eecb733d4016d07", + "rev": "5813e4878748805f1518cee7abb50fd7205a3a48", "type": "github" }, "original": { @@ -791,11 +785,11 @@ "nvim_plugin-mrcjkb/rustaceanvim": { "flake": false, "locked": { - "lastModified": 1763539887, - "narHash": "sha256-aMyjQEEY6MlTBMMxjR6NxNhdbWmvRhOcfpgE1w712nE=", + "lastModified": 1764542305, + "narHash": "sha256-t7xAQ9sczLyA1zODmD+nEuWuLnhrfSOoPu/4G/YTGdU=", "owner": "mrcjkb", "repo": "rustaceanvim", - "rev": "6b7e0e18ad8fa0598bc038aef7bb6bba288adbad", + "rev": "6c3785d6a230bec63f70c98bf8e2842bed924245", "type": "github" }, "original": { @@ -807,11 +801,11 @@ "nvim_plugin-neovim/nvim-lspconfig": { "flake": false, "locked": { - "lastModified": 1763880753, - "narHash": "sha256-huuWVUKo6CmxjXYRnGv8tUs+7bo85gNyL8vVnreiTAU=", + "lastModified": 1764477618, + "narHash": "sha256-IpVDEOr//Jy+r3Z5Qo8nxDa3fNO+BTBKzAmbqvxtCQE=", "owner": "neovim", "repo": "nvim-lspconfig", - "rev": "30a2b191bccf541ce1797946324c9329e90ec448", + "rev": "effe4bf2e1afb881ea67291c648b68dd3dfc927a", "type": "github" }, "original": { @@ -919,11 +913,11 @@ "nvim_plugin-nvim-telescope/telescope.nvim": { "flake": false, "locked": { - "lastModified": 1763414201, - "narHash": "sha256-6hrylUCc6KlcbnMgcJNJhbX2Cgu0YHKoMPOqpaKRljE=", + "lastModified": 1764418954, + "narHash": "sha256-e6XSJRv4KB0z+nzGWmlV/YZNwWsyrrpQTloePRKWmw4=", "owner": "nvim-telescope", "repo": "telescope.nvim", - "rev": "83a3a713d6b2d2a408491a1b959e55a7fa8678e8", + "rev": "e69b434b968a33815e2f02a5c7bd7b8dd4c7d4b2", "type": "github" }, "original": { @@ -935,11 +929,11 @@ "nvim_plugin-nvim-tree/nvim-tree.lua": { "flake": false, "locked": { - "lastModified": 1763712665, - "narHash": "sha256-YwaWMPQ3IC+z/utnkZ1Tfs5tZFex9Gdf/vS9sUaMDCA=", + "lastModified": 1764713359, + "narHash": "sha256-dSaO5esPKj1y4vNyLb3AK9egmFJsmWxkGOT+etJsbRA=", "owner": "nvim-tree", "repo": "nvim-tree.lua", - "rev": "3fb91e18a727ecc0385637895ec397dea90be42a", + "rev": "59088b96a32ea47caf4976e164dbd88b86447fb7", "type": "github" }, "original": { @@ -1079,11 +1073,11 @@ "nvim_plugin-stevearc/conform.nvim": { "flake": false, "locked": { - "lastModified": 1763939276, - "narHash": "sha256-2TLMJdbSbMbdGn6zhZwNSUZnxVGu+Y0ZYhTjinTc7Hs=", + "lastModified": 1764743081, + "narHash": "sha256-qCjrMt3fsRbLr/iM7nFHG7oKtyTTGcse4/cJbm3odJE=", "owner": "stevearc", "repo": "conform.nvim", - "rev": "6208aefd675939cc7c8f1a57176135974dad269f", + "rev": "ffe26e8df8115c9665d24231f8a49fadb2d611ce", "type": "github" }, "original": { @@ -1191,11 +1185,11 @@ "nvim_plugin-zbirenbaum/copilot.lua": { "flake": false, "locked": { - "lastModified": 1763512274, - "narHash": "sha256-NMIXOb/20aEmXvPgSDPzVuRIV+OUnJyfXVaVEuVAaTM=", + "lastModified": 1764638966, + "narHash": "sha256-wQ6SfAunVMd5tNeM7RMvrfPC2ELRibyEQboVQlU/fBs=", "owner": "zbirenbaum", "repo": "copilot.lua", - "rev": "4383e05a47493d7ff77b058c0548129eb38ec7fb", + "rev": "881f99b827d65b41f522eecc21b112cf518028ac", "type": "github" }, "original": { @@ -1354,11 +1348,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1764112623, - "narHash": "sha256-IBjor1S6fq2nwmzi7sRwJg6mRFlO9qwA1OhJhyHvwlw=", + "lastModified": 1764777428, + "narHash": "sha256-wFfPnXo1P+NwSK+Y7xYVwt0mbYhe9uBrf80T5KpBV5Q=", "ref": "refs/heads/master", - "rev": "d85f1e831e400b2d1ea574fe6e40deba39d4d750", - "revCount": 323, + "rev": "ee642c429fced7d51c5f9c9694034f6222a1186f", + "revCount": 324, "type": "git", "url": "https://git.joshuabell.xyz/ringofstorms/nvim" }, @@ -1375,11 +1369,11 @@ ] }, "locked": { - "lastModified": 1764038373, - "narHash": "sha256-M6w2wNBRelcavoDAyFL2iO4NeWknD40ASkH1S3C0YGM=", + "lastModified": 1764729618, + "narHash": "sha256-z4RA80HCWv2los1KD346c+PwNPzMl79qgl7bCVgz8X0=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "ab3536fe850211a96673c6ffb2cb88aab8071cc9", + "rev": "52764074a85145d5001bf0aa30cb71936e9ad5b8", "type": "github" }, "original": { diff --git a/hosts/h001/flake.nix b/hosts/h001/flake.nix index c07c21dd..344f0553 100644 --- a/hosts/h001/flake.nix +++ b/hosts/h001/flake.nix @@ -15,8 +15,8 @@ n8n-nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; # Use relative to get current version for testing - # common.url = "path:../../flakes/common"; - common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common"; + common.url = "path:../../flakes/common"; + # common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common"; # secrets.url = "path:../../flakes/secrets"; secrets.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets"; # beszel.url = "path:../../flakes/beszel"; @@ -57,12 +57,9 @@ secrets.nixosModules.default ros_neovim.nixosModules.default - ( - { ... }: - { - ringofstorms-nvim.includeAllRuntimeDependencies = true; - } - ) + ({ + ringofstorms-nvim.includeAllRuntimeDependencies = true; + }) common.nixosModules.essentials common.nixosModules.git @@ -71,23 +68,20 @@ common.nixosModules.nix_options common.nixosModules.podman common.nixosModules.tailnet - common.nixosModules.timezone_auto + common.nixosModules.timezone_chi common.nixosModules.tty_caps_esc common.nixosModules.zsh beszel.nixosModules.agent - ( - { ... }: - { - beszelAgent = { - listen = "${overlayIp}:45876"; - token = "20208198-87c2-4bd1-ab09-b97c3b9c6a6e"; - }; - services.beszel.agent.environment = { - EXTRA_FILESYSTEMS = "sda__Media"; - }; - } - ) + ({ + beszelAgent = { + listen = "${overlayIp}:45876"; + token = "20208198-87c2-4bd1-ab09-b97c3b9c6a6e"; + }; + services.beszel.agent.environment = { + EXTRA_FILESYSTEMS = "sda__Media"; + }; + }) nixarr.nixosModules.default ./hardware-configuration.nix diff --git a/hosts/h001/mods/openbao.nix b/hosts/h001/mods/openbao.nix index 0e600754..62480d21 100644 --- a/hosts/h001/mods/openbao.nix +++ b/hosts/h001/mods/openbao.nix @@ -1,5 +1,4 @@ { - config, pkgs, ... }: @@ -71,62 +70,84 @@ # AUTO UNSEAL systemd.services.openbao-auto-unseal = { description = "Auto-unseal OpenBao using stored unseal key shares"; + partOf = [ "openbao.service" ]; after = [ "openbao.service" ]; wants = [ "openbao.service" ]; - # Run once at boot; doesn't restart + wantedBy = [ "multi-user.target" "openbao.service" ]; + path = [ + pkgs.openbao + pkgs.gnugrep + ]; + environment = { + BAO_ADDR = "http://127.0.0.1:8200"; + }; + serviceConfig = { Type = "oneshot"; - # run as the same user as the openbao service - # User = config.systemd.services.openbao.User; - # Group = config.systemd.services.openbao.Group; - # /run/keys/... are usually readable by root only; you might prefer to run as root User = "root"; Group = "root"; - # Only needs network access to 127.0.0.1 PrivateTmp = true; ProtectSystem = "strict"; ProtectHome = true; - ReadOnlyPaths = [ "/" ]; - # allow reading /run/keys and talking to localhost - ReadWritePaths = [ "/run" ]; + ReadOnlyPaths = [ "/bao-keys" ]; NoNewPrivileges = true; ExecStart = pkgs.writeShellScript "openbao-auto-unseal" '' #!/usr/bin/env bash - set -euo pipefail + echo "Auto-unseal: waiting for OpenBao to be reachable" - export BAO_ADDR="http://127.0.0.1:8200" - - # Wait for OpenBao to be listening - # (systemd "after" ensures start order but not readiness) + # Wait for OpenBao to be listening & initialized for i in {1..30}; do - if bao status >/dev/null 2>&1; then + BAO_STATUS=$(bao status 2>/dev/null); + # echo "Current status:" + # echo "$BAO_STATUS" + + # Check if initialized + if grep -qi 'initialized.*true' <<< "$BAO_STATUS"; then + echo "OpenBao is initialized" break fi sleep 1 done + # Check again; if still not initialized, bail + BAO_STATUS=$(bao status 2>/dev/null); + if ! grep -qi 'initialized.*true' <<< "$BAO_STATUS"; then + echo "OpenBao is not initialized yet; skipping auto-unseal" >&2 + exit 1 + fi + # If it's already unsealed, exit - if bao status 2>/dev/null | grep -q 'sealed *false'; then + if grep -qi 'sealed.*false' <<< "$BAO_STATUS"; then + echo "OpenBao already unsealed; nothing to do" exit 0 fi + echo "OpenBao is sealed; applying unseal key shares" + # Apply each unseal key share; ignore "already unsealed" errors - # TODO change this back to /run/agenix instead of /root/bao-keys - for key in /root/bao-keys/openbao-unseal-*; do + for key in /bao-keys/openbao-unseal-*; do if [ -f "$key" ]; then + echo "Unsealing with key $key" bao operator unseal "$(cat "$key")" || true fi done - # Check final status; fail if still sealed - if bao status 2>/dev/null | grep -q 'sealed *true'; then + # Final status check + if ! BAO_STATUS=$(bao status 2>/dev/null); then + echo "OpenBao not responding after unseal attempts" >&2 + exit 1 + fi + # echo "Final status:" + # echo "$BAO_STATUS" + if grep -qi 'sealed.*true' <<< "$BAO_STATUS"; then echo "OpenBao is still sealed after applying unseal keys" >&2 exit 1 fi + + echo "Successfully unsealed OpenBao" ''; }; - wantedBy = [ "multi-user.target" ]; }; }