ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add secrets-bao module and conditional Tailnet headscale auth

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2026-01-05 17:42:44 -06:00
parent e5e32593b1
commit c1f5677520
5 changed files with 292 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

95
hosts/juni/flake.nix
View file

@ -86,59 +86,60 @@
inputs.common.nixosModules.timezone_auto
inputs.common.nixosModules.tty_caps_esc
inputs.common.nixosModules.zsh
# inputs.common.nixosModules.tailnet
inputs.common.nixosModules.tailnet
inputs.common.nixosModules.remote_lio_builds
({
ringofstorms.secretsBao = {
enable = true;
zitadelKeyPath = "/machine-key.json";
openBaoAddr = "https://sec.joshuabell.xyz";
jwtAuthMountPath = "auth/zitadel-jwt";
openBaoRole = "machines";
secrets = {
headscale_auth = {
path = "/run/secrets/headscale_auth";
kvPath = "kv/data/machines/home_roaming/headscale_auth";
field = "value";
};
(
{ config, ... }:
{
nix2github = {
path = "/run/secrets/nix2github";
owner = "josh";
group = "users";
kvPath = "kv/data/machines/home_roaming/nix2github";
field = "private_key";
};
nix2bitbucket = {
path = "/run/secrets/nix2bitbucket";
owner = "josh";
group = "users";
kvPath = "kv/data/machines/home_roaming/nix2bitbucket";
field = "private_key";
};
nix2gitforgejo = {
path = "/run/secrets/nix2gitforgejo";
owner = "josh";
group = "users";
kvPath = "kv/data/machines/home_roaming/nix2gitforgejo";
field = "private_key";
};
nix2lio = {
path = "/run/secrets/nix2lio";
owner = "josh";
group = "users";
kvPath = "kv/data/machines/home_roaming/nix2lio";
field = "private_key";
ringofstorms.secretsBao = {
enable = true;
zitadelKeyPath = "/machine-key.json";
openBaoAddr = "https://sec.joshuabell.xyz";
jwtAuthMountPath = "auth/zitadel-jwt";
openBaoRole = "machines";
zitadelIssuer = "https://sso.joshuabell.xyz";
zitadelProjectId = "344379162166820867";
debugMint = true;
secrets = {
headscale_auth = {
kvPath = "kv/data/machines/home_roaming/headscale_auth";
dependencies = [ "tailscaled" ];
configChanges = { path, ... }: {
services.tailscale.authKeyFile = path;
};
};
nix2github = {
owner = "josh";
group = "users";
kvPath = "kv/data/machines/home_roaming/nix2github";
};
nix2bitbucket = {
owner = "josh";
group = "users";
kvPath = "kv/data/machines/home_roaming/nix2bitbucket";
};
nix2gitforgejo = {
owner = "josh";
group = "users";
kvPath = "kv/data/machines/home_roaming/nix2gitforgejo";
};
nix2lio = {
owner = "josh";
group = "users";
kvPath = "kv/data/machines/home_roaming/nix2lio";
};
};
};
};
systemd.services.tailscaled = {
after = [ "openbao-secret-headscale_auth.service" ];
requires = [ "openbao-secret-headscale_auth.service" ];
};
})
systemd.services.tailscaled = {
after = [ "openbao-secret-headscale_auth.service" ];
requires = [ "openbao-secret-headscale_auth.service" ];
};
}
)
# inputs.beszel.nixosModules.agent
# ({