From 19ec8d2bab05e8b744fa7507c67310223d6c6d21 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Thu, 13 Mar 2025 16:04:39 +0100 Subject: [PATCH] fix(openbao): Correctly use UMask feature, tcp listener and genJqScript --- machines/nixos/storage01/openbao.nix | 7 ++++--- modules/nixos/openbao/default.nix | 4 ++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/machines/nixos/storage01/openbao.nix b/machines/nixos/storage01/openbao.nix index 82b9978..4d6e158 100644 --- a/machines/nixos/storage01/openbao.nix +++ b/machines/nixos/storage01/openbao.nix @@ -13,13 +13,14 @@ in enable = true; settings = { - listener = { - tcp.address = "127.0.0.1:${builtins.toString port}"; + listener.tcp = { + address = "127.0.0.1:${builtins.toString port}"; cluster_address = "0.0.0.0:${toString clusterPort}"; + tls_disable = true; }; storage.raft = { - path = "/var/lib/openbao/raft"; + path = "/var/lib/openbao"; node_id = "storage01"; }; diff --git a/modules/nixos/openbao/default.nix b/modules/nixos/openbao/default.nix index 5990a70..6da8282 100644 --- a/modules/nixos/openbao/default.nix +++ b/modules/nixos/openbao/default.nix @@ -81,7 +81,7 @@ in ) "consul.service"; restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients. - preStart = genJqSecretsReplacementSnippet (settingsFormat.generate "openbao-settings.json" cfg.settings) "/var/lib/openbao/config.json"; + preStart = genJqSecretsReplacementSnippet cfg.settings "/var/lib/openbao/config.json"; startLimitIntervalSec = 60; startLimitBurst = 3; @@ -98,7 +98,7 @@ in ); ExecReload = "${getExe' pkgs.coreutils "kill"} -SIGHUP $MAINPID"; StateDirectory = "openbao"; - UMask = "0700"; + UMask = "0077"; AmbientCapabilities = "cap_ipc_lock"; KillSignal = "SIGINT"; LimitCORE = 0;