ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add secrets-bao with sec CLI; use in hosts; fix git helpers

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2026-01-06 20:05:14 -06:00
parent c223dedb70
commit f8f93a97dc
6 changed files with 192 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

4
flakes/common/nix_modules/git/gcpropose.func.sh
View file

@ -1,9 +1,9 @@
gcamp() {
VISUAL=vi EDITOR=vi gcam "$(gcpropose -a | vipe)"
VISUAL=vi EDITOR=vi git commit -a -m "$(gcpropose -a | vipe)"
}
gcmp() {
VISUAL=vi EDITOR=vi gcm "$(gcpropose | vipe)"
VISUAL=vi EDITOR=vi git commit -m "$(gcpropose | vipe)"
}
gcpropose() {

86
flakes/secrets-bao/nixos-module.nix
View file

@ -196,6 +196,76 @@ let
in
builtins.head (lib.strings.splitString "/" noProto);
sec = pkgs.writeShellScriptBin "sec" ''
#!/usr/bin/env bash
set -euo pipefail
if [ "$(${pkgs.coreutils}/bin/id -u)" -ne 0 ]; then
exec ${pkgs.sudo}/bin/sudo "$0" "$@"
fi
vault_addr=${lib.escapeShellArg cfg.openBaoAddr}
jwt_mount_path=${lib.escapeShellArg cfg.jwtAuthMountPath}
role=${lib.escapeShellArg cfg.openBaoRole}
jwt_path=${lib.escapeShellArg cfg.zitadelJwtPath}
token_path=${lib.escapeShellArg cfg.vaultAgentTokenPath}
usage() {
echo "usage: sec <kv-path> [field]" >&2
echo " examples:" >&2
echo " sec machines/home_roaming/test value" >&2
echo " sec kv/data/machines/home_roaming/test value" >&2
}
die() {
echo "sec: $*" >&2
exit 1
}
kv_path="''${1-}"
field="''${2:-value}"
if [ -z "$kv_path" ] || [ "$kv_path" = "-h" ] || [ "$kv_path" = "--help" ]; then
usage
exit 2
fi
export VAULT_ADDR="$vault_addr"
token=""
if [ -r "$token_path" ] && [ -s "$token_path" ]; then
token="$(cat "$token_path")"
else
if [ ! -r "$jwt_path" ] || [ ! -s "$jwt_path" ]; then
die "Missing JWT at $jwt_path (try: systemctl start zitadel-mint-jwt)"
fi
token="$(${pkgs.openbao}/bin/bao write -field=token "$jwt_mount_path/login" role="$role" jwt="$(cat "$jwt_path")")"
fi
if [ -z "$token" ] || [ "$token" = "null" ]; then
die "Failed to get OpenBao token"
fi
export VAULT_TOKEN="$token"
# Accept either KV v2 logical paths (machines/foo/bar) or raw API paths (kv/data/machines/foo/bar).
if [[ "$kv_path" == kv/data/* ]]; then
json="$(${pkgs.openbao}/bin/bao read -format=json "$kv_path")"
else
json="$(${pkgs.openbao}/bin/bao kv get -format=json -mount=kv "$kv_path")"
fi
value="$(${pkgs.jq}/bin/jq -er --arg field "$field" '.data.data[$field]' <<<"$json" 2>/dev/null || true)"
if [ -z "$value" ] || [ "$value" = "null" ]; then
die "Field not found: $field"
fi
printf '%s\n' "$value"
'';
mkAgentConfig = pkgs.writeText "vault-agent.hcl" ''
vault {
address = "${cfg.openBaoAddr}"
@ -245,12 +315,6 @@ let
in
{
options.age.secrets = lib.mkOption {
type = lib.types.attrsOf lib.types.anything;
default = { };
description = "Compatibility shim for modules that expect config.age.secrets.<name>.path.";
};
options.ringofstorms.secretsBao = {
enable = lib.mkEnableOption "Fetch runtime secrets via OpenBao";
@ -409,6 +473,7 @@ in
pkgs.openssl
pkgs.openbao
zitadelMintJwt
sec
];
systemd.tmpfiles.rules = [
@ -594,16 +659,7 @@ in
}
) cfg.secrets)
];
age.secrets = lib.mapAttrs' (
name: secret:
lib.nameValuePair name {
file = null;
path = secret.path;
}
) cfg.secrets;
}
]
);
}

15
flakes/secrets-bao/readme.md Normal file
View file

@ -0,0 +1,15 @@
- Create machine in zitadel and generate a key. Put that at /machine-key.json
- sudo chmod
## CLI
If `ringofstorms.secretsBao.enable = true`, you also get a `sec` helper.
It reads `/run/openbao/*` files, so it will `sudo` itself if needed.
- `sec <kv-path> [field]` reads a field (default: `value`) from KV v2.
- It reuses `/run/openbao/vault-agent.token` when available, otherwise it logs in via the same jwt auth mount path using `/run/openbao/zitadel.jwt`.
Example:
- `sec machines/home_roaming/test value`