fix(openbao): Correctly use UMask feature, tcp listener and genJqScript

2025-03-13 16:04:39 +01:00 · 2025-03-13 16:04:39 +01:00 · 19ec8d2bab
commit 19ec8d2bab
parent f1e92c01c7
2 changed files with 6 additions and 5 deletions
--- a/machines/nixos/storage01/openbao.nix
+++ b/machines/nixos/storage01/openbao.nix
@ -13,13 +13,14 @@ in
    enable = true;
    settings = {
-      listener = {
+      listener.tcp = {
-        tcp.address = "127.0.0.1:${builtins.toString port}";
+        address = "127.0.0.1:${builtins.toString port}";
        cluster_address = "0.0.0.0:${toString clusterPort}";
        tls_disable = true;
      };
      storage.raft = {
-        path = "/var/lib/openbao/raft";
+        path = "/var/lib/openbao";
        node_id = "storage01";
      };
--- a/modules/nixos/openbao/default.nix
+++ b/modules/nixos/openbao/default.nix
@ -81,7 +81,7 @@ in
        ) "consul.service";
      restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.
-      preStart = genJqSecretsReplacementSnippet (settingsFormat.generate "openbao-settings.json" cfg.settings) "/var/lib/openbao/config.json";
+      preStart = genJqSecretsReplacementSnippet cfg.settings "/var/lib/openbao/config.json";
      startLimitIntervalSec = 60;
      startLimitBurst = 3;
@ -98,7 +98,7 @@ in
        );
        ExecReload = "${getExe' pkgs.coreutils "kill"} -SIGHUP $MAINPID";
        StateDirectory = "openbao";
-        UMask = "0700";
+        UMask = "0077";
        AmbientCapabilities = "cap_ipc_lock";
        KillSignal = "SIGINT";
        LimitCORE = 0;