openbao auto unseal

2025-12-08 10:55:35 -06:00 · 2025-12-08 10:55:35 -06:00 · b7330b4c09
commit b7330b4c09
parent 1b4a53b10e
5 changed files with 113 additions and 114 deletions
--- a/flakes/common/nix_modules/timezone_auto.nix
+++ b/flakes/common/nix_modules/timezone_auto.nix
@ -1,17 +1,4 @@
-{
-  ...
-}:
 {
  time.timeZone = null;
  services.automatic-timezoned.enable = true;
-
-    # Add a polkit rule so automatic-timezoned can change timezone
-  security.polkit.extraConfig = ''
-    polkit.addRule(function(action, subject) {
-      if (action.id == "org.freedesktop.timedate1.set-timezone" &&
-          subject.isInGroup("wheel")) {
-        return polkit.Result.YES;
-      }
-    });
-  '';
 }
--- a/flakes/common/nix_modules/timezone_chi.nix
+++ b/flakes/common/nix_modules/timezone_chi.nix
@ -0,0 +1,3 @@
+{
+  time.timeZone = "America/Chicago";
+}
--- a/hosts/h001/flake.lock
+++ b/hosts/h001/flake.lock
@ -79,20 +79,14 @@
    },
    "common": {
      "locked": {
-        "dir": "flakes/common",
-        "lastModified": 1764895175,
-        "narHash": "sha256-JnPCzQPJNIMeSB6FLgJ2N91p4smErwZSxpbsfmUEqfA=",
-        "ref": "refs/heads/master",
-        "rev": "457c53203dcc145b1b6df19be400ad426b9e06f0",
-        "revCount": 846,
-        "type": "git",
-        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
+        "path": "../../flakes/common",
+        "type": "path"
      },
      "original": {
-        "dir": "flakes/common",
-        "type": "git",
-        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
-      }
+        "path": "../../flakes/common",
+        "type": "path"
+      },
+      "parent": []
    },
    "crane": {
      "locked": {
@ -295,11 +289,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1764677808,
-        "narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=",
+        "lastModified": 1764983851,
+        "narHash": "sha256-y7RPKl/jJ/KAP/VKLMghMgXTlvNIJMHKskl8/Uuar7o=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "1aab89277eb2d87823d5b69bae631a2496cff57a",
+        "rev": "d9bc5c7dceb30d8d6fafa10aeb6aa8a48c218454",
        "type": "github"
      },
      "original": {
@ -311,11 +305,11 @@
    },
    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1764040936,
-        "narHash": "sha256-d1NFBVGQZ/Xb0pMviuzenqrfXymJs0m/pKrEg1tDGsE=",
+        "lastModified": 1764776358,
+        "narHash": "sha256-MxXSCRiV7DI5U3Ra1UxVJTTUyKsONAE8+8QdSXsGIhA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "b9491974f02dadeb5acca22649ccbd89a6a81afb",
+        "rev": "0b8cec1eb2241336971009cdd4af641b930d0d97",
        "type": "github"
      },
      "original": {
@ -407,11 +401,11 @@
    "nvim_plugin-MeanderingProgrammer/render-markdown.nvim": {
      "flake": false,
      "locked": {
-        "lastModified": 1763430554,
-        "narHash": "sha256-0DwPuzqR+7R4lJFQ9f2xN26YhdQKg85Hw6+bPvloZoc=",
+        "lastModified": 1764732647,
+        "narHash": "sha256-jya61X22LbcT4hpeio3qE/oOI/lvqKpf09oGEHHvQdA=",
        "owner": "MeanderingProgrammer",
        "repo": "render-markdown.nvim",
-        "rev": "6e0e8902dac70fecbdd8ce557d142062a621ec38",
+        "rev": "b2b135347e299ffbf7f4123fb7811899b0c9f4b8",
        "type": "github"
      },
      "original": {
@ -487,11 +481,11 @@
    "nvim_plugin-b0o/schemastore.nvim": {
      "flake": false,
      "locked": {
-        "lastModified": 1763748041,
-        "narHash": "sha256-4KKj1zp+5Z2zbC31hpvw73BIuf4dW7rimepGOggmUp4=",
+        "lastModified": 1764655248,
+        "narHash": "sha256-9nUBzwbMkzLySMW/Y0EkFpvFgHeW5YDQ3J3moVQarjQ=",
        "owner": "b0o",
        "repo": "schemastore.nvim",
-        "rev": "aa25399c48236b77af71d4b64cdf157d2ba4e990",
+        "rev": "e9c00ea7813006dfa29f35c174f83f0184d45a93",
        "type": "github"
      },
      "original": {
@ -503,11 +497,11 @@
    "nvim_plugin-catppuccin/nvim": {
      "flake": false,
      "locked": {
-        "lastModified": 1763995197,
-        "narHash": "sha256-i4WmQzSNWeR5rh61yonzR55yyklJ3xOL8D/XyEnDa+E=",
+        "lastModified": 1764084803,
+        "narHash": "sha256-ds+Rm9H00s++RC1dH4OQpCg1FXSm4HuwDGzr4ah0YBU=",
        "owner": "catppuccin",
        "repo": "nvim",
-        "rev": "180e0435707cf1fed09a98a9739e5807d92b69be",
+        "rev": "ce4a8e0d5267e67056f9f4dcf6cb1d0933c8ca00",
        "type": "github"
      },
      "original": {
@ -519,11 +513,11 @@
    "nvim_plugin-chrisgrieser/nvim-early-retirement": {
      "flake": false,
      "locked": {
-        "lastModified": 1764013541,
-        "narHash": "sha256-Mzz1y7YYTYUWv9S/Yr26to7AuDCZ+9asHa3qzDz06D0=",
+        "lastModified": 1764104935,
+        "narHash": "sha256-mvs0uIoxidy3jfC6oymwhaZVRbJrW+/kuMcIpR8TI6M=",
        "owner": "chrisgrieser",
        "repo": "nvim-early-retirement",
-        "rev": "6fb7d87a965e439cfb4e04a5c0e5038010fc015b",
+        "rev": "cd29cf40af7473530a8598245ba1d348fd5e1fa0",
        "type": "github"
      },
      "original": {
@ -695,11 +689,11 @@
    "nvim_plugin-lewis6991/gitsigns.nvim": {
      "flake": false,
      "locked": {
-        "lastModified": 1763280728,
-        "narHash": "sha256-w2/osNJwbtmUxxQIXBsyqMYrvyNUaVzXrUNGYqGmzi4=",
+        "lastModified": 1764322768,
+        "narHash": "sha256-w3Q7nMFEbcjP6RmSTONg2Nw1dBXDEHnjQ69FuAPJRD8=",
        "owner": "lewis6991",
        "repo": "gitsigns.nvim",
-        "rev": "cdafc320f03f2572c40ab93a4eecb733d4016d07",
+        "rev": "5813e4878748805f1518cee7abb50fd7205a3a48",
        "type": "github"
      },
      "original": {
@ -791,11 +785,11 @@
    "nvim_plugin-mrcjkb/rustaceanvim": {
      "flake": false,
      "locked": {
-        "lastModified": 1763539887,
-        "narHash": "sha256-aMyjQEEY6MlTBMMxjR6NxNhdbWmvRhOcfpgE1w712nE=",
+        "lastModified": 1764542305,
+        "narHash": "sha256-t7xAQ9sczLyA1zODmD+nEuWuLnhrfSOoPu/4G/YTGdU=",
        "owner": "mrcjkb",
        "repo": "rustaceanvim",
-        "rev": "6b7e0e18ad8fa0598bc038aef7bb6bba288adbad",
+        "rev": "6c3785d6a230bec63f70c98bf8e2842bed924245",
        "type": "github"
      },
      "original": {
@ -807,11 +801,11 @@
    "nvim_plugin-neovim/nvim-lspconfig": {
      "flake": false,
      "locked": {
-        "lastModified": 1763880753,
-        "narHash": "sha256-huuWVUKo6CmxjXYRnGv8tUs+7bo85gNyL8vVnreiTAU=",
+        "lastModified": 1764477618,
+        "narHash": "sha256-IpVDEOr//Jy+r3Z5Qo8nxDa3fNO+BTBKzAmbqvxtCQE=",
        "owner": "neovim",
        "repo": "nvim-lspconfig",
-        "rev": "30a2b191bccf541ce1797946324c9329e90ec448",
+        "rev": "effe4bf2e1afb881ea67291c648b68dd3dfc927a",
        "type": "github"
      },
      "original": {
@ -919,11 +913,11 @@
    "nvim_plugin-nvim-telescope/telescope.nvim": {
      "flake": false,
      "locked": {
-        "lastModified": 1763414201,
-        "narHash": "sha256-6hrylUCc6KlcbnMgcJNJhbX2Cgu0YHKoMPOqpaKRljE=",
+        "lastModified": 1764418954,
+        "narHash": "sha256-e6XSJRv4KB0z+nzGWmlV/YZNwWsyrrpQTloePRKWmw4=",
        "owner": "nvim-telescope",
        "repo": "telescope.nvim",
-        "rev": "83a3a713d6b2d2a408491a1b959e55a7fa8678e8",
+        "rev": "e69b434b968a33815e2f02a5c7bd7b8dd4c7d4b2",
        "type": "github"
      },
      "original": {
@ -935,11 +929,11 @@
    "nvim_plugin-nvim-tree/nvim-tree.lua": {
      "flake": false,
      "locked": {
-        "lastModified": 1763712665,
-        "narHash": "sha256-YwaWMPQ3IC+z/utnkZ1Tfs5tZFex9Gdf/vS9sUaMDCA=",
+        "lastModified": 1764713359,
+        "narHash": "sha256-dSaO5esPKj1y4vNyLb3AK9egmFJsmWxkGOT+etJsbRA=",
        "owner": "nvim-tree",
        "repo": "nvim-tree.lua",
-        "rev": "3fb91e18a727ecc0385637895ec397dea90be42a",
+        "rev": "59088b96a32ea47caf4976e164dbd88b86447fb7",
        "type": "github"
      },
      "original": {
@ -1079,11 +1073,11 @@
    "nvim_plugin-stevearc/conform.nvim": {
      "flake": false,
      "locked": {
-        "lastModified": 1763939276,
-        "narHash": "sha256-2TLMJdbSbMbdGn6zhZwNSUZnxVGu+Y0ZYhTjinTc7Hs=",
+        "lastModified": 1764743081,
+        "narHash": "sha256-qCjrMt3fsRbLr/iM7nFHG7oKtyTTGcse4/cJbm3odJE=",
        "owner": "stevearc",
        "repo": "conform.nvim",
-        "rev": "6208aefd675939cc7c8f1a57176135974dad269f",
+        "rev": "ffe26e8df8115c9665d24231f8a49fadb2d611ce",
        "type": "github"
      },
      "original": {
@ -1191,11 +1185,11 @@
    "nvim_plugin-zbirenbaum/copilot.lua": {
      "flake": false,
      "locked": {
-        "lastModified": 1763512274,
-        "narHash": "sha256-NMIXOb/20aEmXvPgSDPzVuRIV+OUnJyfXVaVEuVAaTM=",
+        "lastModified": 1764638966,
+        "narHash": "sha256-wQ6SfAunVMd5tNeM7RMvrfPC2ELRibyEQboVQlU/fBs=",
        "owner": "zbirenbaum",
        "repo": "copilot.lua",
-        "rev": "4383e05a47493d7ff77b058c0548129eb38ec7fb",
+        "rev": "881f99b827d65b41f522eecc21b112cf518028ac",
        "type": "github"
      },
      "original": {
@ -1354,11 +1348,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1764112623,
-        "narHash": "sha256-IBjor1S6fq2nwmzi7sRwJg6mRFlO9qwA1OhJhyHvwlw=",
+        "lastModified": 1764777428,
+        "narHash": "sha256-wFfPnXo1P+NwSK+Y7xYVwt0mbYhe9uBrf80T5KpBV5Q=",
        "ref": "refs/heads/master",
-        "rev": "d85f1e831e400b2d1ea574fe6e40deba39d4d750",
-        "revCount": 323,
+        "rev": "ee642c429fced7d51c5f9c9694034f6222a1186f",
+        "revCount": 324,
        "type": "git",
        "url": "https://git.joshuabell.xyz/ringofstorms/nvim"
      },
@ -1375,11 +1369,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1764038373,
-        "narHash": "sha256-M6w2wNBRelcavoDAyFL2iO4NeWknD40ASkH1S3C0YGM=",
+        "lastModified": 1764729618,
+        "narHash": "sha256-z4RA80HCWv2los1KD346c+PwNPzMl79qgl7bCVgz8X0=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "ab3536fe850211a96673c6ffb2cb88aab8071cc9",
+        "rev": "52764074a85145d5001bf0aa30cb71936e9ad5b8",
        "type": "github"
      },
      "original": {
--- a/hosts/h001/flake.nix
+++ b/hosts/h001/flake.nix
@ -15,8 +15,8 @@
    n8n-nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";

    # Use relative to get current version for testing
-    # common.url = "path:../../flakes/common";
-    common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common";
+    common.url = "path:../../flakes/common";
+    # common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common";
    # secrets.url = "path:../../flakes/secrets";
    secrets.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets";
    # beszel.url = "path:../../flakes/beszel";
@ -57,12 +57,9 @@

              secrets.nixosModules.default
              ros_neovim.nixosModules.default
-              (
-                { ... }:
-                {
+              ({
                ringofstorms-nvim.includeAllRuntimeDependencies = true;
-                }
-              )
+              })

              common.nixosModules.essentials
              common.nixosModules.git
@ -71,14 +68,12 @@
              common.nixosModules.nix_options
              common.nixosModules.podman
              common.nixosModules.tailnet
-              common.nixosModules.timezone_auto
+              common.nixosModules.timezone_chi
              common.nixosModules.tty_caps_esc
              common.nixosModules.zsh

              beszel.nixosModules.agent
-              (
-                { ... }:
-                {
+              ({
                beszelAgent = {
                  listen = "${overlayIp}:45876";
                  token = "20208198-87c2-4bd1-ab09-b97c3b9c6a6e";
@ -86,8 +81,7 @@
                services.beszel.agent.environment = {
                  EXTRA_FILESYSTEMS = "sda__Media";
                };
-                }
-              )
+              })

              nixarr.nixosModules.default
              ./hardware-configuration.nix
--- a/hosts/h001/mods/openbao.nix
+++ b/hosts/h001/mods/openbao.nix
@ -1,5 +1,4 @@
 {
-  config,
  pkgs,
  ...
 }:
@ -71,62 +70,84 @@
  # AUTO UNSEAL
  systemd.services.openbao-auto-unseal = {
    description = "Auto-unseal OpenBao using stored unseal key shares";
+    partOf = [ "openbao.service" ];
    after = [ "openbao.service" ];
    wants = [ "openbao.service" ];
-    # Run once at boot; doesn't restart
+    wantedBy = [ "multi-user.target" "openbao.service" ];
+    path = [
+      pkgs.openbao
+      pkgs.gnugrep
+    ];
+    environment = {
+      BAO_ADDR = "http://127.0.0.1:8200";
+    };
+
    serviceConfig = {
      Type = "oneshot";
-      # run as the same user as the openbao service
-      # User = config.systemd.services.openbao.User;
-      # Group = config.systemd.services.openbao.Group;
-      # /run/keys/... are usually readable by root only; you might prefer to run as root
      User = "root";
      Group = "root";

-      # Only needs network access to 127.0.0.1
      PrivateTmp = true;
      ProtectSystem = "strict";
      ProtectHome = true;
-      ReadOnlyPaths = [ "/" ];
-      # allow reading /run/keys and talking to localhost
-      ReadWritePaths = [ "/run" ];
+      ReadOnlyPaths = [ "/bao-keys" ];
      NoNewPrivileges = true;

      ExecStart = pkgs.writeShellScript "openbao-auto-unseal" ''
        #!/usr/bin/env bash
-        set -euo pipefail
+        echo "Auto-unseal: waiting for OpenBao to be reachable"

-        export BAO_ADDR="http://127.0.0.1:8200"
-
-        # Wait for OpenBao to be listening
-        # (systemd "after" ensures start order but not readiness)
+        # Wait for OpenBao to be listening & initialized
        for i in {1..30}; do
-          if bao status >/dev/null 2>&1; then
+          BAO_STATUS=$(bao status 2>/dev/null);
+          # echo "Current status:"
+          # echo "$BAO_STATUS"
+
+          # Check if initialized
+          if grep -qi 'initialized.*true' <<< "$BAO_STATUS"; then
+            echo "OpenBao is initialized"
            break
          fi
          sleep 1
        done

+        # Check again; if still not initialized, bail
+        BAO_STATUS=$(bao status 2>/dev/null);
+        if ! grep -qi 'initialized.*true' <<< "$BAO_STATUS"; then
+          echo "OpenBao is not initialized yet; skipping auto-unseal" >&2
+          exit 1
+        fi
+
        # If it's already unsealed, exit
-        if bao status 2>/dev/null | grep -q 'sealed *false'; then
+        if grep -qi 'sealed.*false' <<< "$BAO_STATUS"; then
+          echo "OpenBao already unsealed; nothing to do"
          exit 0
        fi

+        echo "OpenBao is sealed; applying unseal key shares"
+
        # Apply each unseal key share; ignore "already unsealed" errors
-        # TODO change this back to /run/agenix instead of /root/bao-keys
-        for key in /root/bao-keys/openbao-unseal-*; do
+        for key in /bao-keys/openbao-unseal-*; do
          if [ -f "$key" ]; then
+            echo "Unsealing with key $key"
            bao operator unseal "$(cat "$key")" || true
          fi
        done

-        # Check final status; fail if still sealed
-        if bao status 2>/dev/null | grep -q 'sealed *true'; then
+        # Final status check
+        if ! BAO_STATUS=$(bao status 2>/dev/null); then
+          echo "OpenBao not responding after unseal attempts" >&2
+          exit 1
+        fi
+        # echo "Final status:"
+        # echo "$BAO_STATUS"
+        if grep -qi 'sealed.*true' <<< "$BAO_STATUS"; then
          echo "OpenBao is still sealed after applying unseal keys" >&2
          exit 1
        fi
+
+        echo "Successfully unsealed OpenBao"
      '';
    };
-    wantedBy = [ "multi-user.target" ];
  };
 }