experiment with openbao secrets

2026-01-01 13:12:11 -06:00 · 2026-01-01 13:12:11 -06:00 · d923e49c19
commit d923e49c19
parent 8fff3be042
4 changed files with 448 additions and 258 deletions
--- a/flakes/secrets-bao/flake.nix
+++ b/flakes/secrets-bao/flake.nix
@ -0,0 +1,12 @@
 {
  description = "Runtime secrets via OpenBao + Zitadel machine key";
  inputs = { };
  outputs = { ... }:
    {
      nixosModules = {
        default = import ./nixos-module.nix;
      };
    };
 }
--- a/flakes/secrets-bao/nixos-module.nix
+++ b/flakes/secrets-bao/nixos-module.nix
@ -0,0 +1,322 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.ringofstorms.secretsBao;
  mkJwtMintScript = pkgs.writeShellScript "zitadel-mint-jwt" ''
    #!/usr/bin/env bash
    set -euo pipefail
    key_json="${cfg.zitadelKeyPath}"
    kid="$(${pkgs.jq}/bin/jq -r .keyId "$key_json")"
    sub="$(${pkgs.jq}/bin/jq -r .userId "$key_json")"
    pem_file="$(${pkgs.coreutils}/bin/mktemp)"
    trap '${pkgs.coreutils}/bin/rm -f "$pem_file"' EXIT
    ${pkgs.jq}/bin/jq -r .key "$key_json" >"$pem_file"
    ${pkgs.coreutils}/bin/chmod 600 "$pem_file"
    now="$(${pkgs.coreutils}/bin/date +%s)"
    exp="$(( now + ${toString cfg.jwtLifetimeSeconds} ))"
    jti="$(${pkgs.openssl}/bin/openssl rand -hex 16)"
    header="$(${pkgs.jq}/bin/jq -cn --arg kid "$kid" '{alg:"RS256",typ:"JWT",kid:$kid}')"
    payload="$(${pkgs.jq}/bin/jq -cn \
      --arg iss "$sub" \
      --arg sub "$sub" \
      --arg aud "${cfg.zitadelTokenEndpoint}" \
      --arg jti "$jti" \
      --argjson iat "$now" \
      --argjson exp "$exp" \
      '{iss:$iss,sub:$sub,aud:$aud,iat:$iat,exp:$exp,jti:$jti}'
    )"
    b64url() {
      ${pkgs.openssl}/bin/openssl base64 -A | ${pkgs.gnused}/bin/sed -e 's/+/-/g' -e 's/\//_/g' -e 's/=*$//'
    }
    h64="$(${pkgs.coreutils}/bin/printf '%s' "$header" | b64url)"
    p64="$(${pkgs.coreutils}/bin/printf '%s' "$payload" | b64url)"
    sig="$(${pkgs.coreutils}/bin/printf '%s' "$h64.$p64" | ${pkgs.openssl}/bin/openssl dgst -sha256 -sign "$pem_file" | b64url)"
    assertion="$h64.$p64.$sig"
    ${pkgs.curl}/bin/curl -sS -X POST "${cfg.zitadelTokenEndpoint}" \
      -H 'content-type: application/x-www-form-urlencoded' \
      --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \
      --data-urlencode "assertion=$assertion" \
      --data-urlencode "scope=${cfg.zitadelScopes}" \
      | ${pkgs.jq}/bin/jq -r .access_token
  '';
  mkAgentConfig = pkgs.writeText "vault-agent.hcl" ''
    vault {
      address = "${cfg.openBaoAddr}"
    }
    auto_auth {
      method "jwt" {
        mount_path = "${cfg.jwtAuthMountPath}"
        config = {
          role     = "${cfg.openBaoRole}"
          jwt_file = "${cfg.zitadelJwtPath}"
        }
      }
      sink "file" {
        config = {
          path = "${cfg.vaultAgentTokenPath}"
          mode = 0400
        }
      }
    }
    ${lib.concatStringsSep "\n\n" (
      lib.mapAttrsToList (
        name: secret:
        let
          renderedTemplate =
            if secret.template != null then
              secret.template
            else
              ''{{- with secret "${secret.kvPath}" -}}{{- .Data.data.${secret.field} -}}{{- end -}}'';
        in
        ''
                    template {
                      destination = "${secret.path}"
                      perms       = "${secret.mode}"
                      contents    = <<EOH
          ${renderedTemplate}
          EOH
                      command     = "${pkgs.runtimeShell} -c '${pkgs.coreutils}/bin/chown ${lib.escapeShellArg secret.owner}:${lib.escapeShellArg secret.group} ${lib.escapeShellArg secret.path} && ${pkgs.coreutils}/bin/chmod ${lib.escapeShellArg secret.mode} ${lib.escapeShellArg secret.path}'"
                    }
        ''
      ) cfg.secrets
    )}
  '';
 in
 {
  options.age.secrets = lib.mkOption {
    type = lib.types.attrsOf lib.types.anything;
    default = { };
    description = "Compatibility shim for modules that expect config.age.secrets.<name>.path.";
  };
  options.ringofstorms.secretsBao = {
    enable = lib.mkEnableOption "Fetch runtime secrets via OpenBao";
    zitadelKeyPath = lib.mkOption {
      type = lib.types.str;
      default = "/machine-key.json";
      description = "Path to Zitadel service account key JSON (persistent, root-only).";
    };
    zitadelTokenEndpoint = lib.mkOption {
      type = lib.types.str;
      default = "https://sso.joshuabell.xyz/oauth/v2/token";
    };
    zitadelScopes = lib.mkOption {
      type = lib.types.str;
      default = "openid profile email";
    };
    jwtLifetimeSeconds = lib.mkOption {
      type = lib.types.int;
      default = 300;
      description = "Lifetime of signed assertion JWT sent to Zitadel token endpoint.";
    };
    zitadelJwtPath = lib.mkOption {
      type = lib.types.str;
      default = "/run/openbao/zitadel.jwt";
    };
    openBaoAddr = lib.mkOption {
      type = lib.types.str;
      default = "https://sec.joshuabell.xyz";
    };
    jwtAuthMountPath = lib.mkOption {
      type = lib.types.str;
      default = "auth/zitadel-jwt";
    };
    openBaoRole = lib.mkOption {
      type = lib.types.str;
      default = "machines";
    };
    vaultAgentTokenPath = lib.mkOption {
      type = lib.types.str;
      default = "/run/openbao/vault-agent.token";
    };
    secrets = lib.mkOption {
      type = lib.types.attrsOf (
        lib.types.submodule (
          { name, ... }:
          {
            options = {
              path = lib.mkOption {
                type = lib.types.str;
                default = "/run/secrets/${name}";
              };
              owner = lib.mkOption {
                type = lib.types.str;
                default = "root";
              };
              group = lib.mkOption {
                type = lib.types.str;
                default = "root";
              };
              mode = lib.mkOption {
                type = lib.types.str;
                default = "0400";
              };
              kvPath = lib.mkOption {
                type = lib.types.nullOr lib.types.str;
                default = null;
                description = "KV v2 secret API path (ex: kv/data/machines/home_roaming/nix2github).";
              };
              field = lib.mkOption {
                type = lib.types.str;
                default = "value";
                description = "Field under .Data.data to render.";
              };
              template = lib.mkOption {
                type = lib.types.nullOr lib.types.lines;
                default = null;
                description = "Optional raw template contents (overrides kvPath/field).";
              };
            };
          }
        )
      );
      default = { };
    };
  };
  config = lib.mkIf cfg.enable {
    assertions = lib.mapAttrsToList (name: s: {
      assertion = (s.template != null) || (s.kvPath != null);
      message = "ringofstorms.secretsBao.secrets.${name} must set either template or kvPath";
    }) cfg.secrets;
    environment.systemPackages = [
      pkgs.jq
      pkgs.curl
      pkgs.openssl
      pkgs.openbao
    ];
    systemd.tmpfiles.rules = [
      "d /run/openbao 0700 root root - -"
      "d /run/secrets 0711 root root - -"
    ];
    systemd.services = lib.mkMerge [
      {
        zitadel-mint-jwt = {
          description = "Mint Zitadel access token (JWT) for OpenBao";
          wantedBy = [ "multi-user.target" ];
          after = [ "network-online.target" ];
          wants = [ "network-online.target" ];
          serviceConfig = {
            Type = "oneshot";
            User = "root";
            Group = "root";
            UMask = "0077";
            ExecStart = pkgs.writeShellScript "zitadel-mint-jwt-service" ''
              #!/usr/bin/env bash
              set -euo pipefail
              if [ ! -f "${cfg.zitadelKeyPath}" ]; then
                echo "Missing Zitadel key JSON at ${cfg.zitadelKeyPath}" >&2
                exit 1
              fi
              jwt="$(${mkJwtMintScript})"
              ${pkgs.coreutils}/bin/printf '%s' "$jwt" > "${cfg.zitadelJwtPath}"
            '';
          };
        };
        vault-agent = {
          description = "OpenBao agent for rendering secrets";
          wantedBy = [ "multi-user.target" ];
          after = [
            "network-online.target"
            "zitadel-mint-jwt.service"
          ];
          wants = [ "network-online.target" ];
          requires = [ "zitadel-mint-jwt.service" ];
          serviceConfig = {
            Type = "simple";
            User = "root";
            Group = "root";
            Restart = "on-failure";
            RestartSec = "2s";
            UMask = "0077";
            ExecStart = "${pkgs.openbao}/bin/bao agent -config=${mkAgentConfig}";
          };
        };
      }
      (lib.mapAttrs' (
        name: secret:
        lib.nameValuePair "openbao-secret-${name}" {
          description = "Wait for OpenBao secret ${name}";
          after = [ "vault-agent.service" ];
          requires = [ "vault-agent.service" ];
          serviceConfig = {
            Type = "oneshot";
            User = "root";
            Group = "root";
            UMask = "0077";
            ExecStart = pkgs.writeShellScript "openbao-wait-secret-${name}" ''
              #!/usr/bin/env bash
              set -euo pipefail
              p=${lib.escapeShellArg secret.path}
              for i in {1..60}; do
                if [ -s "$p" ]; then
                  exit 0
                fi
                sleep 1
              done
              echo "Secret file not rendered: $p" >&2
              exit 1
            '';
          };
        }
      ) cfg.secrets)
    ];
    age.secrets = lib.mapAttrs' (
      name: secret:
      lib.nameValuePair name {
        file = null;
        path = secret.path;
      }
    ) cfg.secrets;
  };
 }
--- a/hosts/juni/flake.lock
+++ b/hosts/juni/flake.lock
@ -1,41 +1,16 @@
 {
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager_3",
        "nixpkgs": [
          "secrets",
          "ragenix",
          "nixpkgs"
        ],
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1761656077,
        "narHash": "sha256-lsNWuj4Z+pE7s0bd2OKicOFq9bK86JE0ZGeKJbNqb94=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "9ba0d85de3eaa7afeab493fed622008b6e4924f5",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "beszel": {
      "inputs": {
        "beszel-nixpkgs": "beszel-nixpkgs"
      },
      "locked": {
        "dir": "flakes/beszel",
-        "lastModified": 1767112386,
+        "lastModified": 1767293741,
-        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
+        "narHash": "sha256-mqcZB2uthea2TMcFmEgfPYGDC+O2px5hc/XPrlqsYMs=",
        "ref": "refs/heads/master",
-        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
+        "rev": "8fff3be0425341a048167db5385d9639f6355133",
-        "revCount": 1009,
+        "revCount": 1031,
        "type": "git",
        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
      },
@ -64,11 +39,11 @@
    "common": {
      "locked": {
        "dir": "flakes/common",
-        "lastModified": 1767112386,
+        "lastModified": 1767293741,
-        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
+        "narHash": "sha256-mqcZB2uthea2TMcFmEgfPYGDC+O2px5hc/XPrlqsYMs=",
        "ref": "refs/heads/master",
-        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
+        "rev": "8fff3be0425341a048167db5385d9639f6355133",
-        "revCount": 1009,
+        "revCount": 1031,
        "type": "git",
        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
      },
@ -78,56 +53,17 @@
        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
      }
    },
    "crane": {
      "locked": {
        "lastModified": 1760924934,
        "narHash": "sha256-tuuqY5aU7cUkR71sO2TraVKK2boYrdW3gCSXUkF4i44=",
        "owner": "ipetkov",
        "repo": "crane",
        "rev": "c6b4d5308293d0d04fcfeee92705017537cad02f",
        "type": "github"
      },
      "original": {
        "owner": "ipetkov",
        "repo": "crane",
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "secrets",
          "ragenix",
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1744478979,
        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "de_plasma": {
      "inputs": {
        "plasma-manager": "plasma-manager"
      },
      "locked": {
        "dir": "flakes/de_plasma",
-        "lastModified": 1767112386,
+        "lastModified": 1767293741,
-        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
+        "narHash": "sha256-mqcZB2uthea2TMcFmEgfPYGDC+O2px5hc/XPrlqsYMs=",
        "ref": "refs/heads/master",
-        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
+        "rev": "8fff3be0425341a048167db5385d9639f6355133",
-        "revCount": 1009,
+        "revCount": 1031,
        "type": "git",
        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
      },
@ -137,35 +73,17 @@
        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flatpaks": {
      "inputs": {
        "nix-flatpak": "nix-flatpak"
      },
      "locked": {
        "dir": "flakes/flatpaks",
-        "lastModified": 1767112386,
+        "lastModified": 1767293741,
-        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
+        "narHash": "sha256-mqcZB2uthea2TMcFmEgfPYGDC+O2px5hc/XPrlqsYMs=",
        "ref": "refs/heads/master",
-        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
+        "rev": "8fff3be0425341a048167db5385d9639f6355133",
-        "revCount": 1009,
+        "revCount": 1031,
        "type": "git",
        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
      },
@ -202,11 +120,11 @@
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1767024057,
+        "lastModified": 1767280655,
-        "narHash": "sha256-B1aycRjMRvb6QOGbnqDhiDzZwMebj5jxZ5qyJzaKvpI=",
+        "narHash": "sha256-YmaYMduV5ko8zURUT1VLGDbVC1L/bxHS0NsiPoZ6bBM=",
        "owner": "rycee",
        "repo": "home-manager",
-        "rev": "34578a2fdfce4257ce5f5baf6e7efbd4e4e252b1",
+        "rev": "d49d2543f02dbd789ed032188c84570d929223cb",
        "type": "github"
      },
      "original": {
@ -216,29 +134,6 @@
        "type": "github"
      }
    },
    "home-manager_3": {
      "inputs": {
        "nixpkgs": [
          "secrets",
          "ragenix",
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1745494811,
        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "impermanence": {
      "locked": {
        "lastModified": 1737831083,
@ -272,11 +167,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1767070591,
+        "lastModified": 1767185284,
-        "narHash": "sha256-b0aM3221Pw6vbACFqZrVzZjMNqXVPi1dvgLr8QTbajc=",
+        "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "9b3c38bf6c260d0e88154ef07fa833fa845bfd14",
+        "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe",
        "type": "github"
      },
      "original": {
@ -304,11 +199,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1766902085,
+        "lastModified": 1767116409,
-        "narHash": "sha256-coBu0ONtFzlwwVBzmjacUQwj3G+lybcZ1oeNSQkgC0M=",
+        "narHash": "sha256-5vKw92l1GyTnjoLzEagJy5V5mDFck72LiQWZSOnSicw=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "c0b0e0fddf73fd517c3471e546c0df87a42d53f4",
+        "rev": "cad22e7d996aea55ecab064e84834289143e44a0",
        "type": "github"
      },
      "original": {
@ -320,11 +215,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1766736597,
+        "lastModified": 1767047869,
-        "narHash": "sha256-BASnpCLodmgiVn0M1MU2Pqyoz0aHwar/0qLkp7CjvSQ=",
+        "narHash": "sha256-tzYsEzXEVa7op1LTnrLSiPGrcCY6948iD0EcNLWcmzo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852",
+        "rev": "89dbf01df72eb5ebe3b24a86334b12c27d68016a",
        "type": "github"
      },
      "original": {
@ -336,11 +231,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1766885793,
+        "lastModified": 1767047869,
-        "narHash": "sha256-P6RVkrM9JLCW6xBjSwHfgTOQ1JwBUma5xe5LI8xAPC0=",
+        "narHash": "sha256-tzYsEzXEVa7op1LTnrLSiPGrcCY6948iD0EcNLWcmzo=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "9ef261221d1e72399f2036786498d78c38185c46",
+        "rev": "89dbf01df72eb5ebe3b24a86334b12c27d68016a",
        "type": "github"
      },
      "original": {
@ -352,11 +247,11 @@
    },
    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1766870016,
+        "lastModified": 1767026758,
-        "narHash": "sha256-fHmxAesa6XNqnIkcS6+nIHuEmgd/iZSP/VXxweiEuQw=",
+        "narHash": "sha256-7fsac/f7nh/VaKJ/qm3I338+wAJa/3J57cOGpXi0Sbg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "5c2bc52fb9f8c264ed6c93bd20afa2ff5e763dce",
+        "rev": "346dd96ad74dc4457a9db9de4f4f57dab2e5731d",
        "type": "github"
      },
      "original": {
@ -382,22 +277,6 @@
        "type": "github"
      }
    },
    "nixpkgs_6": {
      "locked": {
        "lastModified": 1761672384,
        "narHash": "sha256-o9KF3DJL7g7iYMZq9SWgfS1BFlNbsm6xplRjVlOCkXI=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "08dacfca559e1d7da38f3cf05f1f45ee9bfd213c",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nvim_plugin-Almo7aya/openingh.nvim": {
      "flake": false,
      "locked": {
@ -1268,11 +1147,11 @@
      },
      "locked": {
        "dir": "flakes/opencode",
-        "lastModified": 1767112386,
+        "lastModified": 1767293741,
-        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
+        "narHash": "sha256-mqcZB2uthea2TMcFmEgfPYGDC+O2px5hc/XPrlqsYMs=",
        "ref": "refs/heads/master",
-        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
+        "rev": "8fff3be0425341a048167db5385d9639f6355133",
-        "revCount": 1009,
+        "revCount": 1031,
        "type": "git",
        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
      },
@ -1287,11 +1166,11 @@
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
-        "lastModified": 1767028968,
+        "lastModified": 1767126722,
-        "narHash": "sha256-Z6Jk9Ee3+KHaQf7V/zbHHgotZ0gQA5Mtqpzs8PAQmBY=",
+        "narHash": "sha256-bXBpPQ9altAzsuFKhIS83LKwuLIxKJ4gWMAG5xzk+fM=",
        "owner": "sst",
        "repo": "opencode",
-        "rev": "b7ce46f7a12e68283d6588c33aaf972426ddd65e",
+        "rev": "3fe5d91372fdf859e09ed5a2aefe359e0648ed10",
        "type": "github"
      },
      "original": {
@ -1319,28 +1198,6 @@
        "type": "github"
      }
    },
    "ragenix": {
      "inputs": {
        "agenix": "agenix",
        "crane": "crane",
        "flake-utils": "flake-utils",
        "nixpkgs": "nixpkgs_6",
        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
        "lastModified": 1761832913,
        "narHash": "sha256-VCNVjjuRvrKPiYYwqhE3BAKIaReiKXGpxGp27lZ0MFM=",
        "owner": "yaxitech",
        "repo": "ragenix",
        "rev": "83bccfdea758241999f32869fb6b36f7ac72f1ac",
        "type": "github"
      },
      "original": {
        "owner": "yaxitech",
        "repo": "ragenix",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "beszel": "beszel",
@ -1354,7 +1211,7 @@
        "nixpkgs-unstable": "nixpkgs-unstable",
        "opencode": "opencode",
        "ros_neovim": "ros_neovim",
-        "secrets": "secrets"
+        "secrets-bao": "secrets-bao"
      }
    },
    "ros_neovim": {
@ -1417,11 +1274,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1766468664,
+        "lastModified": 1767195473,
-        "narHash": "sha256-QfAZCWfwIDiOvikyMb9Tsg2X0n659zd6DxDT88ILE4I=",
+        "narHash": "sha256-xL3DZSWiNSvW58LsJwFIpQ9i3Vs5uaYUjbL60rpFxPk=",
        "ref": "refs/heads/master",
-        "rev": "99a57f25b959d7226d68f1b53ff60f0c4cc5b210",
+        "rev": "88e86b5a7d40697ade905f534dcd5372a67b8102",
-        "revCount": 326,
+        "revCount": 328,
        "type": "git",
        "url": "https://git.joshuabell.xyz/ringofstorms/nvim"
      },
@ -1451,70 +1308,16 @@
        "type": "github"
      }
    },
-    "rust-overlay_2": {
+    "secrets-bao": {
      "inputs": {
        "nixpkgs": [
          "secrets",
          "ragenix",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1761791894,
+        "lastModified": 1767294512,
-        "narHash": "sha256-myRIDh+PxaREz+z9LzbqBJF+SnTFJwkthKDX9zMyddY=",
+        "narHash": "sha256-VJsOr6MRAskbLVRHtLplIHBvi6K45yj0H2TSP0V2SKI=",
-        "owner": "oxalica",
+        "path": "/home/josh/.config/nixos-config/flakes/secrets-bao",
        "repo": "rust-overlay",
        "rev": "59c45eb69d9222a4362673141e00ff77842cd219",
        "type": "github"
      },
      "original": {
        "owner": "oxalica",
        "repo": "rust-overlay",
        "type": "github"
      }
    },
    "secrets": {
      "inputs": {
        "ragenix": "ragenix"
      },
      "locked": {
        "path": "../../flakes/secrets",
        "type": "path"
      },
      "original": {
-        "path": "../../flakes/secrets",
+        "path": "/home/josh/.config/nixos-config/flakes/secrets-bao",
        "type": "path"
      },
      "parent": []
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
--- a/hosts/juni/flake.nix
+++ b/hosts/juni/flake.nix
@ -11,8 +11,10 @@
    # Use relative to get current version for testin
    # common.url = "path:../../flakes/common";
    common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common";
-    # secrets.url = "path:../../flakes/secrets";
+    # secrets-bao.url = "path:../../flakes/secrets-bao";
-    secrets.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets";
+    # NOTE: using an absolute path so this works before you commit/push.
    # After you add `flakes/secrets-bao` to the repo, switch to a git URL like your other flakes.
    secrets-bao.url = "path:/home/josh/.config/nixos-config/flakes/secrets-bao";
    # flatpaks.url = "path:../../flakes/flatpaks";
    flatpaks.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/flatpaks";
    # beszel.url = "path:../../flakes/beszel";
@ -66,7 +68,7 @@
              })
              inputs.common.nixosModules.jetbrains_font
-              inputs.secrets.nixosModules.default
+              inputs.secrets-bao.nixosModules.default
              inputs.ros_neovim.nixosModules.default
              ({
                ringofstorms-nvim.includeAllRuntimeDependencies = true;
@ -84,15 +86,66 @@
              inputs.common.nixosModules.timezone_auto
              inputs.common.nixosModules.tty_caps_esc
              inputs.common.nixosModules.zsh
-              inputs.common.nixosModules.tailnet
+              # inputs.common.nixosModules.tailnet
              inputs.beszel.nixosModules.agent
              ({
-                  beszelAgent = {
+                ringofstorms.secretsBao = {
-                    token = "2fb5f0a0-24aa-4044-a893-6d0f916cd063";
+                  enable = true;
                  zitadelKeyPath = "/machine-key.json";
                  openBaoAddr = "https://sec.joshuabell.xyz";
                  jwtAuthMountPath = "auth/zitadel-jwt";
                  openBaoRole = "machines";
                  secrets = {
                    headscale_auth = {
                      path = "/run/secrets/headscale_auth";
                      kvPath = "kv/data/machines/home_roaming/headscale_auth";
                      field = "value";
                    };
-                }
+
-              )
+                    nix2github = {
                      path = "/run/secrets/nix2github";
                      owner = "josh";
                      group = "users";
                      kvPath = "kv/data/machines/home_roaming/nix2github";
                      field = "private_key";
                    };
                    nix2bitbucket = {
                      path = "/run/secrets/nix2bitbucket";
                      owner = "josh";
                      group = "users";
                      kvPath = "kv/data/machines/home_roaming/nix2bitbucket";
                      field = "private_key";
                    };
                    nix2gitforgejo = {
                      path = "/run/secrets/nix2gitforgejo";
                      owner = "josh";
                      group = "users";
                      kvPath = "kv/data/machines/home_roaming/nix2gitforgejo";
                      field = "private_key";
                    };
                    nix2lio = {
                      path = "/run/secrets/nix2lio";
                      owner = "josh";
                      group = "users";
                      kvPath = "kv/data/machines/home_roaming/nix2lio";
                      field = "private_key";
                    };
                  };
                };
                systemd.services.tailscaled = {
                  after = [ "openbao-secret-headscale_auth.service" ];
                  requires = [ "openbao-secret-headscale_auth.service" ];
                };
              })
              # inputs.beszel.nixosModules.agent
              # ({
              #     beszelAgent = {
              #       token = "2fb5f0a0-24aa-4044-a893-6d0f916cd063";
              #     };
              #   }
              # )
              ./hardware-configuration.nix
              ./hardware-mounts.nix
@ -122,7 +175,7 @@
                      inputs.common.homeManagerModules.starship
                      inputs.common.homeManagerModules.zoxide
                      inputs.common.homeManagerModules.zsh
-                      inputs.common.homeManagerModules.ssh
+                      # inputs.common.homeManagerModules.ssh
                      (
                        { ... }:
                        {