DGNum/infrastructure
11
6
Fork 2
Code Issues 22 Pull requests 20 Projects 1 Releases Packages Wiki Activity Actions

feat(modules/nixos): init openbao module

Browse source 
Signed-off-by: Elias Coppens <elias@dgnum.eu>
This commit is contained in:
Elias Coppens 2025-03-09 00:39:38 +01:00 committed by Tom Hubrecht
parent a84028b3e7
commit 1e53dc09ba
Signed by: thubrecht
SSH key fingerprint: SHA256:r+nK/SIcWlJ0zFZJGHtlAoRwq1Rm+WcKAm5ADYMoQPc
3 changed files with 122 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
modules/nixos/default.nix
View file

@ -35,6 +35,7 @@
"dgn-web"
"django-apps"
"extranix"
"openbao"
])
++ [
"${sources.agenix}/modules/age.nix"

116
modules/nixos/openbao/default.nix Normal file
View file

@ -0,0 +1,116 @@
# SPDX-FileCopyrightText: 2025 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: MIT
{
config,
lib,
pkgs,
utils,
...
}:
let
inherit (lib)
getExe
getExe'
hasAttrByPath
mkEnableOption
mkIf
mkOption
mkPackageOption
optional
;
inherit (lib.types) listOf str submodule;
inherit (utils) escapeSystemdExecArgs genJqSecretsReplacementSnippet;
settingsFormat = pkgs.formats.json { };
cfg = config.services.openbao;
in
{
options = {
services.openbao = {
enable = mkEnableOption "OpenBao daemon";
package = mkPackageOption pkgs "openbao" { };
settings = mkOption {
description = ''
Settings of OpenBao.
See [documentation](https://openbao.org/docs/configuration/) for more details.
'';
type = submodule {
freeformType = settingsFormat.type;
options = {
listener.tcp.address = mkOption {
type = str;
default = "127.0.0.1:8200";
description = ''
The address the OpenBao daemon will listen to.
'';
};
};
};
};
extraArgs = mkOption {
type = listOf str;
default = [ ];
description = ''
Additional arguments given to OpenBao
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.openbao ];
systemd.services.openbao = {
description = "OpenBao server daemon";
wantedBy = [ "multi-user.target" ];
after =
[ "network.target" ]
++ optional (
config.services.consul.enable && (hasAttrByPath [ "storage" "consul" ] cfg.settings)
) "consul.service";
restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.
preStart = genJqSecretsReplacementSnippet (settingsFormat.generate "openbao-settings.json" cfg.settings) "/var/lib/openbao/config.json";
startLimitIntervalSec = 60;
startLimitBurst = 3;
serviceConfig = {
DynamicUser = true;
ExecStart = escapeSystemdExecArgs (
[
(getExe cfg.package)
"server"
"-config"
"/var/lib/openbao/config.json"
]
++ cfg.extraArgs
);
ExecReload = "${getExe' pkgs.coreutils "kill"} -SIGHUP $MAINPID";
StateDirectory = "openbao";
UMask = "0700";
AmbientCapabilities = "cap_ipc_lock";
KillSignal = "SIGINT";
LimitCORE = 0;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectHome = "read-only";
ProtectSystem = "full";
Restart = "on-failure";
TimeoutStopSec = "30s";
};
};
};
}

5
patches/default.nix
View file

@ -34,6 +34,11 @@ in
# Kanidm memberless groups provisionning
(local ./nixpkgs/07-kanidm-groups-module.patch)
(local ./nixpkgs/08-kanidm-groups-pkgs.patch)
# openbao: init at 2.0.3
(npr 354366 "sha256-hnGmwmkGeGY6fwZ3L3HSvUX5A5ZpxgslzfmSs1UowdA=")
# openbao: 2.1.0 -> 2.1.1
(npr 375706 "sha256-BQ4O/ub4tivf4cKb7flTpzC7T/4pIQuyEGOwfD12gco=")
];
"nixos-unstable" = [