Add secrets-bao with sec CLI; use in hosts; fix git helpers

2026-01-06 20:05:14 -06:00 · 2026-01-06 20:05:14 -06:00 · f8f93a97dc
commit f8f93a97dc
parent c223dedb70
6 changed files with 192 additions and 33 deletions
--- a/hosts/juni/flake.nix
+++ b/hosts/juni/flake.nix
@ -69,7 +69,6 @@
              })
              inputs.common.nixosModules.jetbrains_font

-              inputs.secrets-bao.nixosModules.default
              inputs.ros_neovim.nixosModules.default
              ({
                ringofstorms-nvim.includeAllRuntimeDependencies = true;
@ -115,6 +114,7 @@
              )
              inputs.common.nixosModules.remote_lio_builds

+              inputs.secrets-bao.nixosModules.default
              (
                { inputs, lib, ... }:
                let
@ -124,6 +124,12 @@
                      dependencies = [ "tailscaled" ];
                      configChanges.services.tailscale.authKeyFile = "$SECRET_PATH";
                    };
+                    "atuin-key-josh" = {
+                      owner = "josh";
+                      group = "users";
+                      mode = "0400";
+                      template = ''{{- with secret "kv/data/machines/home_roaming/atuin-key-josh" -}}{{ printf "%s\n%s\n%s" .Data.data.user .Data.data.password .Data.data.value }}{{- end -}}'';
+                    };
                    nix2github = {
                      owner = "josh";
                      group = "users";
@ -295,6 +301,50 @@
                    "com.spotify.Client"
                    "com.bitwarden.desktop"
                  ];
+
+                  systemd.services.atuin-autologin = {
+                    description = "Auto-login to Atuin (if logged out)";
+                    wantedBy = [ "multi-user.target" ];
+                    after = [ "network-online.target" "openbao-secret-atuin-key-josh.service" ];
+                    wants = [ "network-online.target" "openbao-secret-atuin-key-josh.service" ];
+                    requires = [ "openbao-secret-atuin-key-josh.service" ];
+
+                    serviceConfig = {
+                      Type = "oneshot";
+                      User = "josh";
+                      Group = "users";
+                      Environment = [
+                        "HOME=/home/josh"
+                        "XDG_CONFIG_HOME=/home/josh/.config"
+                        "XDG_DATA_HOME=/home/josh/.local/share"
+                      ];
+
+                      ExecStart = pkgs.writeShellScript "atuin-autologin" ''
+                        #!/usr/bin/env bash
+                        set -euo pipefail
+
+                        secret="/run/secrets/atuin-key-josh"
+                        if [ ! -s "$secret" ]; then
+                          echo "Missing atuin secret at $secret" >&2
+                          exit 1
+                        fi
+
+                        # status exits non-zero when logged out.
+                        out="$(${pkgs.atuin}/bin/atuin status 2>&1)" && exit 0
+
+                        if [[ "$out" != *"You are not logged in"* ]]; then
+                          echo "$out" >&2
+                          exit 1
+                        fi
+
+                        username="$(${pkgs.coreutils}/bin/sed -n '1p' "$secret")"
+                        password="$(${pkgs.coreutils}/bin/sed -n '2p' "$secret")"
+                        key="$(${pkgs.coreutils}/bin/sed -n '3p' "$secret")"
+
+                        exec ${pkgs.atuin}/bin/atuin login --username "$username" --password "$password" --key "$key"
+                      '';
+                    };
+                  };
                }
              )
            ];
--- a/hosts/lio/flake.lock
+++ b/hosts/lio/flake.lock
@ -63,20 +63,14 @@
    },
    "common": {
      "locked": {
-        "dir": "flakes/common",
-        "lastModified": 1767740224,
-        "narHash": "sha256-7yUQUw/7IMTBHy2EtuDggE8+NwUN3vDH5fwiTQDIrsI=",
-        "ref": "refs/heads/master",
-        "rev": "4bc645061b8c3108fdb3ee92a61dbe3e98ecdaea",
-        "revCount": 1082,
-        "type": "git",
-        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
+        "path": "../../flakes/common",
+        "type": "path"
      },
      "original": {
-        "dir": "flakes/common",
-        "type": "git",
-        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
-      }
+        "path": "../../flakes/common",
+        "type": "path"
+      },
+      "parent": []
    },
    "crane": {
      "locked": {
@ -1321,7 +1315,8 @@
        "nixpkgs-unstable": "nixpkgs-unstable",
        "opencode": "opencode",
        "ros_neovim": "ros_neovim",
-        "secrets": "secrets"
+        "secrets": "secrets",
+        "secrets-bao": "secrets-bao"
      }
    },
    "ros_neovim": {
@ -1460,6 +1455,17 @@
        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
      }
    },
+    "secrets-bao": {
+      "locked": {
+        "path": "../../flakes/secrets-bao",
+        "type": "path"
+      },
+      "original": {
+        "path": "../../flakes/secrets-bao",
+        "type": "path"
+      },
+      "parent": []
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/hosts/lio/flake.nix
+++ b/hosts/lio/flake.nix
@ -6,10 +6,12 @@
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";

    # Use relative to get current version for testing
-    # common.url = "path:../../flakes/common";
-    common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common";
+    common.url = "path:../../flakes/common";
+    # common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common";
    # secrets.url = "path:../../flakes/secrets";
    secrets.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets";
+    secrets-bao.url = "path:../../flakes/secrets-bao";
+    # secrets-bao.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets-bao";
    # flatpaks.url = "path:../../flakes/flatpaks";
    flatpaks.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/flatpaks";
    # beszel.url = "path:../../flakes/beszel";
@ -95,6 +97,36 @@
              common.nixosModules.zsh
              common.nixosModules.more_filesystems

+              inputs.secrets-bao.nixosModules.default
+              (
+                { inputs, lib, ... }:
+                let
+                  secrets = {
+                    headscale_auth = {
+                      kvPath = "kv/data/machines/home_roaming/headscale_auth";
+                      # dependencies = [ "tailscaled" ];
+                      # configChanges.services.tailscale.authKeyFile = "$SECRET_PATH"; # TODO remove secrets and enable this
+                    };
+                  };
+                in
+                lib.mkMerge [
+                  {
+                    ringofstorms.secretsBao = {
+                      enable = true;
+                      zitadelKeyPath = "/machine-key.json";
+                      openBaoAddr = "https://sec.joshuabell.xyz";
+                      jwtAuthMountPath = "auth/zitadel-jwt";
+                      openBaoRole = "machines";
+                      zitadelIssuer = "https://sso.joshuabell.xyz";
+                      zitadelProjectId = "344379162166820867";
+                      inherit secrets;
+                    };
+                  }
+                  (inputs.secrets-bao.lib.applyConfigChanges secrets)
+                  (inputs.secrets-bao.lib.applyHmChanges secrets)
+                ]
+              )
+
              beszel.nixosModules.agent
              ({
                beszelAgent = {