openbao auto unseal

flakes/common/nix_modules/timezone_auto.nix

@@ -1,17 +1,4 @@
-{
-  ...
-}:
 {
   time.timeZone = null;
   services.automatic-timezoned.enable = true;
-
-    # Add a polkit rule so automatic-timezoned can change timezone
-  security.polkit.extraConfig = ''
-    polkit.addRule(function(action, subject) {
-      if (action.id == "org.freedesktop.timedate1.set-timezone" &&
-          subject.isInGroup("wheel")) {
-        return polkit.Result.YES;
-      }
-    });
-  '';
 }

flakes/common/nix_modules/timezone_chi.nix

@@ -0,0 +1,3 @@
+{
+  time.timeZone = "America/Chicago";
+}

hosts/h001/flake.lock

@@ -79,20 +79,14 @@
     },
     "common": {
       "locked": {
-        "dir": "flakes/common",
+        "path": "../../flakes/common",
-        "lastModified": 1764895175,
+        "type": "path"
-        "narHash": "sha256-JnPCzQPJNIMeSB6FLgJ2N91p4smErwZSxpbsfmUEqfA=",
-        "ref": "refs/heads/master",
-        "rev": "457c53203dcc145b1b6df19be400ad426b9e06f0",
-        "revCount": 846,
-        "type": "git",
-        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
       "original": {
-        "dir": "flakes/common",
+        "path": "../../flakes/common",
-        "type": "git",
+        "type": "path"
-        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
+      },
-      }
+      "parent": []
     },
     "crane": {
       "locked": {
@@ -295,11 +289,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1764677808,
+        "lastModified": 1764983851,
-        "narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=",
+        "narHash": "sha256-y7RPKl/jJ/KAP/VKLMghMgXTlvNIJMHKskl8/Uuar7o=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1aab89277eb2d87823d5b69bae631a2496cff57a",
+        "rev": "d9bc5c7dceb30d8d6fafa10aeb6aa8a48c218454",
         "type": "github"
       },
       "original": {
@@ -311,11 +305,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1764040936,
+        "lastModified": 1764776358,
-        "narHash": "sha256-d1NFBVGQZ/Xb0pMviuzenqrfXymJs0m/pKrEg1tDGsE=",
+        "narHash": "sha256-MxXSCRiV7DI5U3Ra1UxVJTTUyKsONAE8+8QdSXsGIhA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b9491974f02dadeb5acca22649ccbd89a6a81afb",
+        "rev": "0b8cec1eb2241336971009cdd4af641b930d0d97",
         "type": "github"
       },
       "original": {
@@ -407,11 +401,11 @@
     "nvim_plugin-MeanderingProgrammer/render-markdown.nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1763430554,
+        "lastModified": 1764732647,
-        "narHash": "sha256-0DwPuzqR+7R4lJFQ9f2xN26YhdQKg85Hw6+bPvloZoc=",
+        "narHash": "sha256-jya61X22LbcT4hpeio3qE/oOI/lvqKpf09oGEHHvQdA=",
         "owner": "MeanderingProgrammer",
         "repo": "render-markdown.nvim",
-        "rev": "6e0e8902dac70fecbdd8ce557d142062a621ec38",
+        "rev": "b2b135347e299ffbf7f4123fb7811899b0c9f4b8",
         "type": "github"
       },
       "original": {
@@ -487,11 +481,11 @@
     "nvim_plugin-b0o/schemastore.nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1763748041,
+        "lastModified": 1764655248,
-        "narHash": "sha256-4KKj1zp+5Z2zbC31hpvw73BIuf4dW7rimepGOggmUp4=",
+        "narHash": "sha256-9nUBzwbMkzLySMW/Y0EkFpvFgHeW5YDQ3J3moVQarjQ=",
         "owner": "b0o",
         "repo": "schemastore.nvim",
-        "rev": "aa25399c48236b77af71d4b64cdf157d2ba4e990",
+        "rev": "e9c00ea7813006dfa29f35c174f83f0184d45a93",
         "type": "github"
       },
       "original": {
@@ -503,11 +497,11 @@
     "nvim_plugin-catppuccin/nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1763995197,
+        "lastModified": 1764084803,
-        "narHash": "sha256-i4WmQzSNWeR5rh61yonzR55yyklJ3xOL8D/XyEnDa+E=",
+        "narHash": "sha256-ds+Rm9H00s++RC1dH4OQpCg1FXSm4HuwDGzr4ah0YBU=",
         "owner": "catppuccin",
         "repo": "nvim",
-        "rev": "180e0435707cf1fed09a98a9739e5807d92b69be",
+        "rev": "ce4a8e0d5267e67056f9f4dcf6cb1d0933c8ca00",
         "type": "github"
       },
       "original": {
@@ -519,11 +513,11 @@
     "nvim_plugin-chrisgrieser/nvim-early-retirement": {
       "flake": false,
       "locked": {
-        "lastModified": 1764013541,
+        "lastModified": 1764104935,
-        "narHash": "sha256-Mzz1y7YYTYUWv9S/Yr26to7AuDCZ+9asHa3qzDz06D0=",
+        "narHash": "sha256-mvs0uIoxidy3jfC6oymwhaZVRbJrW+/kuMcIpR8TI6M=",
         "owner": "chrisgrieser",
         "repo": "nvim-early-retirement",
-        "rev": "6fb7d87a965e439cfb4e04a5c0e5038010fc015b",
+        "rev": "cd29cf40af7473530a8598245ba1d348fd5e1fa0",
         "type": "github"
       },
       "original": {
@@ -695,11 +689,11 @@
     "nvim_plugin-lewis6991/gitsigns.nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1763280728,
+        "lastModified": 1764322768,
-        "narHash": "sha256-w2/osNJwbtmUxxQIXBsyqMYrvyNUaVzXrUNGYqGmzi4=",
+        "narHash": "sha256-w3Q7nMFEbcjP6RmSTONg2Nw1dBXDEHnjQ69FuAPJRD8=",
         "owner": "lewis6991",
         "repo": "gitsigns.nvim",
-        "rev": "cdafc320f03f2572c40ab93a4eecb733d4016d07",
+        "rev": "5813e4878748805f1518cee7abb50fd7205a3a48",
         "type": "github"
       },
       "original": {
@@ -791,11 +785,11 @@
     "nvim_plugin-mrcjkb/rustaceanvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1763539887,
+        "lastModified": 1764542305,
-        "narHash": "sha256-aMyjQEEY6MlTBMMxjR6NxNhdbWmvRhOcfpgE1w712nE=",
+        "narHash": "sha256-t7xAQ9sczLyA1zODmD+nEuWuLnhrfSOoPu/4G/YTGdU=",
         "owner": "mrcjkb",
         "repo": "rustaceanvim",
-        "rev": "6b7e0e18ad8fa0598bc038aef7bb6bba288adbad",
+        "rev": "6c3785d6a230bec63f70c98bf8e2842bed924245",
         "type": "github"
       },
       "original": {
@@ -807,11 +801,11 @@
     "nvim_plugin-neovim/nvim-lspconfig": {
       "flake": false,
       "locked": {
-        "lastModified": 1763880753,
+        "lastModified": 1764477618,
-        "narHash": "sha256-huuWVUKo6CmxjXYRnGv8tUs+7bo85gNyL8vVnreiTAU=",
+        "narHash": "sha256-IpVDEOr//Jy+r3Z5Qo8nxDa3fNO+BTBKzAmbqvxtCQE=",
         "owner": "neovim",
         "repo": "nvim-lspconfig",
-        "rev": "30a2b191bccf541ce1797946324c9329e90ec448",
+        "rev": "effe4bf2e1afb881ea67291c648b68dd3dfc927a",
         "type": "github"
       },
       "original": {
@@ -919,11 +913,11 @@
     "nvim_plugin-nvim-telescope/telescope.nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1763414201,
+        "lastModified": 1764418954,
-        "narHash": "sha256-6hrylUCc6KlcbnMgcJNJhbX2Cgu0YHKoMPOqpaKRljE=",
+        "narHash": "sha256-e6XSJRv4KB0z+nzGWmlV/YZNwWsyrrpQTloePRKWmw4=",
         "owner": "nvim-telescope",
         "repo": "telescope.nvim",
-        "rev": "83a3a713d6b2d2a408491a1b959e55a7fa8678e8",
+        "rev": "e69b434b968a33815e2f02a5c7bd7b8dd4c7d4b2",
         "type": "github"
       },
       "original": {
@@ -935,11 +929,11 @@
     "nvim_plugin-nvim-tree/nvim-tree.lua": {
       "flake": false,
       "locked": {
-        "lastModified": 1763712665,
+        "lastModified": 1764713359,
-        "narHash": "sha256-YwaWMPQ3IC+z/utnkZ1Tfs5tZFex9Gdf/vS9sUaMDCA=",
+        "narHash": "sha256-dSaO5esPKj1y4vNyLb3AK9egmFJsmWxkGOT+etJsbRA=",
         "owner": "nvim-tree",
         "repo": "nvim-tree.lua",
-        "rev": "3fb91e18a727ecc0385637895ec397dea90be42a",
+        "rev": "59088b96a32ea47caf4976e164dbd88b86447fb7",
         "type": "github"
       },
       "original": {
@@ -1079,11 +1073,11 @@
     "nvim_plugin-stevearc/conform.nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1763939276,
+        "lastModified": 1764743081,
-        "narHash": "sha256-2TLMJdbSbMbdGn6zhZwNSUZnxVGu+Y0ZYhTjinTc7Hs=",
+        "narHash": "sha256-qCjrMt3fsRbLr/iM7nFHG7oKtyTTGcse4/cJbm3odJE=",
         "owner": "stevearc",
         "repo": "conform.nvim",
-        "rev": "6208aefd675939cc7c8f1a57176135974dad269f",
+        "rev": "ffe26e8df8115c9665d24231f8a49fadb2d611ce",
         "type": "github"
       },
       "original": {
@@ -1191,11 +1185,11 @@
     "nvim_plugin-zbirenbaum/copilot.lua": {
       "flake": false,
       "locked": {
-        "lastModified": 1763512274,
+        "lastModified": 1764638966,
-        "narHash": "sha256-NMIXOb/20aEmXvPgSDPzVuRIV+OUnJyfXVaVEuVAaTM=",
+        "narHash": "sha256-wQ6SfAunVMd5tNeM7RMvrfPC2ELRibyEQboVQlU/fBs=",
         "owner": "zbirenbaum",
         "repo": "copilot.lua",
-        "rev": "4383e05a47493d7ff77b058c0548129eb38ec7fb",
+        "rev": "881f99b827d65b41f522eecc21b112cf518028ac",
         "type": "github"
       },
       "original": {
@@ -1354,11 +1348,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1764112623,
+        "lastModified": 1764777428,
-        "narHash": "sha256-IBjor1S6fq2nwmzi7sRwJg6mRFlO9qwA1OhJhyHvwlw=",
+        "narHash": "sha256-wFfPnXo1P+NwSK+Y7xYVwt0mbYhe9uBrf80T5KpBV5Q=",
         "ref": "refs/heads/master",
-        "rev": "d85f1e831e400b2d1ea574fe6e40deba39d4d750",
+        "rev": "ee642c429fced7d51c5f9c9694034f6222a1186f",
-        "revCount": 323,
+        "revCount": 324,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/nvim"
       },
@@ -1375,11 +1369,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764038373,
+        "lastModified": 1764729618,
-        "narHash": "sha256-M6w2wNBRelcavoDAyFL2iO4NeWknD40ASkH1S3C0YGM=",
+        "narHash": "sha256-z4RA80HCWv2los1KD346c+PwNPzMl79qgl7bCVgz8X0=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "ab3536fe850211a96673c6ffb2cb88aab8071cc9",
+        "rev": "52764074a85145d5001bf0aa30cb71936e9ad5b8",
         "type": "github"
       },
       "original": {

hosts/h001/flake.nix

@@ -15,8 +15,8 @@
     n8n-nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
 
     # Use relative to get current version for testing
-    # common.url = "path:../../flakes/common";
+    common.url = "path:../../flakes/common";
-    common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common";
+    # common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common";
     # secrets.url = "path:../../flakes/secrets";
     secrets.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets";
     # beszel.url = "path:../../flakes/beszel";
@@ -57,12 +57,9 @@
 
               secrets.nixosModules.default
               ros_neovim.nixosModules.default
-              (
+              ({
-                { ... }:
-                {
                 ringofstorms-nvim.includeAllRuntimeDependencies = true;
-                }
+              })
-              )
 
               common.nixosModules.essentials
               common.nixosModules.git
@@ -71,14 +68,12 @@
               common.nixosModules.nix_options
               common.nixosModules.podman
               common.nixosModules.tailnet
-              common.nixosModules.timezone_auto
+              common.nixosModules.timezone_chi
               common.nixosModules.tty_caps_esc
               common.nixosModules.zsh
 
               beszel.nixosModules.agent
-              (
+              ({
-                { ... }:
-                {
                 beszelAgent = {
                   listen = "${overlayIp}:45876";
                   token = "20208198-87c2-4bd1-ab09-b97c3b9c6a6e";
@@ -86,8 +81,7 @@
                 services.beszel.agent.environment = {
                   EXTRA_FILESYSTEMS = "sda__Media";
                 };
-                }
+              })
-              )
 
               nixarr.nixosModules.default
               ./hardware-configuration.nix

hosts/h001/mods/openbao.nix

@@ -1,5 +1,4 @@
 {
-  config,
   pkgs,
   ...
 }:
@@ -71,62 +70,84 @@
   # AUTO UNSEAL
   systemd.services.openbao-auto-unseal = {
     description = "Auto-unseal OpenBao using stored unseal key shares";
+    partOf = [ "openbao.service" ];
     after = [ "openbao.service" ];
     wants = [ "openbao.service" ];
-    # Run once at boot; doesn't restart
+    wantedBy = [ "multi-user.target" "openbao.service" ];
+    path = [
+      pkgs.openbao
+      pkgs.gnugrep
+    ];
+    environment = {
+      BAO_ADDR = "http://127.0.0.1:8200";
+    };
+
     serviceConfig = {
       Type = "oneshot";
-      # run as the same user as the openbao service
-      # User = config.systemd.services.openbao.User;
-      # Group = config.systemd.services.openbao.Group;
-      # /run/keys/... are usually readable by root only; you might prefer to run as root
       User = "root";
       Group = "root";
 
-      # Only needs network access to 127.0.0.1
       PrivateTmp = true;
       ProtectSystem = "strict";
       ProtectHome = true;
-      ReadOnlyPaths = [ "/" ];
+      ReadOnlyPaths = [ "/bao-keys" ];
-      # allow reading /run/keys and talking to localhost
-      ReadWritePaths = [ "/run" ];
       NoNewPrivileges = true;
 
       ExecStart = pkgs.writeShellScript "openbao-auto-unseal" ''
         #!/usr/bin/env bash
-        set -euo pipefail
+        echo "Auto-unseal: waiting for OpenBao to be reachable"
 
-        export BAO_ADDR="http://127.0.0.1:8200"
+        # Wait for OpenBao to be listening & initialized
-
-        # Wait for OpenBao to be listening
-        # (systemd "after" ensures start order but not readiness)
         for i in {1..30}; do
-          if bao status >/dev/null 2>&1; then
+          BAO_STATUS=$(bao status 2>/dev/null);
+          # echo "Current status:"
+          # echo "$BAO_STATUS"
+
+          # Check if initialized
+          if grep -qi 'initialized.*true' <<< "$BAO_STATUS"; then
+            echo "OpenBao is initialized"
             break
           fi
           sleep 1
         done
 
+        # Check again; if still not initialized, bail
+        BAO_STATUS=$(bao status 2>/dev/null);
+        if ! grep -qi 'initialized.*true' <<< "$BAO_STATUS"; then
+          echo "OpenBao is not initialized yet; skipping auto-unseal" >&2
+          exit 1
+        fi
+
         # If it's already unsealed, exit
-        if bao status 2>/dev/null | grep -q 'sealed *false'; then
+        if grep -qi 'sealed.*false' <<< "$BAO_STATUS"; then
+          echo "OpenBao already unsealed; nothing to do"
           exit 0
         fi
 
+        echo "OpenBao is sealed; applying unseal key shares"
+
         # Apply each unseal key share; ignore "already unsealed" errors
-        # TODO change this back to /run/agenix instead of /root/bao-keys
+        for key in /bao-keys/openbao-unseal-*; do
-        for key in /root/bao-keys/openbao-unseal-*; do
           if [ -f "$key" ]; then
+            echo "Unsealing with key $key"
             bao operator unseal "$(cat "$key")" || true
           fi
         done
 
-        # Check final status; fail if still sealed
+        # Final status check
-        if bao status 2>/dev/null | grep -q 'sealed *true'; then
+        if ! BAO_STATUS=$(bao status 2>/dev/null); then
+          echo "OpenBao not responding after unseal attempts" >&2
+          exit 1
+        fi
+        # echo "Final status:"
+        # echo "$BAO_STATUS"
+        if grep -qi 'sealed.*true' <<< "$BAO_STATUS"; then
           echo "OpenBao is still sealed after applying unseal keys" >&2
           exit 1
         fi
+
+        echo "Successfully unsealed OpenBao"
       '';
     };
-    wantedBy = [ "multi-user.target" ];
   };
 }