From 1e53dc09ba6c81dbfcc09673970101a1a1b9adba Mon Sep 17 00:00:00 2001 From: Elias Coppens Date: Sun, 9 Mar 2025 00:39:38 +0100 Subject: [PATCH 1/2] feat(modules/nixos): init openbao module Signed-off-by: Elias Coppens --- modules/nixos/default.nix | 1 + modules/nixos/openbao/default.nix | 116 ++++++++++++++++++++++++++++++ patches/default.nix | 5 ++ 3 files changed, 122 insertions(+) create mode 100644 modules/nixos/openbao/default.nix diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 1ea41b5..8dec5f8 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -35,6 +35,7 @@ "dgn-web" "django-apps" "extranix" + "openbao" ]) ++ [ "${sources.agenix}/modules/age.nix" diff --git a/modules/nixos/openbao/default.nix b/modules/nixos/openbao/default.nix new file mode 100644 index 0000000..5990a70 --- /dev/null +++ b/modules/nixos/openbao/default.nix @@ -0,0 +1,116 @@ +# SPDX-FileCopyrightText: 2025 Ryan Lahfa +# +# SPDX-License-Identifier: MIT + +{ + config, + lib, + pkgs, + utils, + ... +}: + +let + inherit (lib) + getExe + getExe' + hasAttrByPath + mkEnableOption + mkIf + mkOption + mkPackageOption + optional + ; + + inherit (lib.types) listOf str submodule; + + inherit (utils) escapeSystemdExecArgs genJqSecretsReplacementSnippet; + + settingsFormat = pkgs.formats.json { }; + + cfg = config.services.openbao; +in +{ + options = { + services.openbao = { + enable = mkEnableOption "OpenBao daemon"; + + package = mkPackageOption pkgs "openbao" { }; + + settings = mkOption { + description = '' + Settings of OpenBao. + + See [documentation](https://openbao.org/docs/configuration/) for more details. + ''; + type = submodule { + freeformType = settingsFormat.type; + options = { + listener.tcp.address = mkOption { + type = str; + default = "127.0.0.1:8200"; + description = '' + The address the OpenBao daemon will listen to. + ''; + }; + }; + }; + }; + + extraArgs = mkOption { + type = listOf str; + default = [ ]; + description = '' + Additional arguments given to OpenBao + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.openbao ]; + + systemd.services.openbao = { + description = "OpenBao server daemon"; + + wantedBy = [ "multi-user.target" ]; + after = + [ "network.target" ] + ++ optional ( + config.services.consul.enable && (hasAttrByPath [ "storage" "consul" ] cfg.settings) + ) "consul.service"; + + restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients. + preStart = genJqSecretsReplacementSnippet (settingsFormat.generate "openbao-settings.json" cfg.settings) "/var/lib/openbao/config.json"; + + startLimitIntervalSec = 60; + startLimitBurst = 3; + serviceConfig = { + DynamicUser = true; + ExecStart = escapeSystemdExecArgs ( + [ + (getExe cfg.package) + "server" + "-config" + "/var/lib/openbao/config.json" + ] + ++ cfg.extraArgs + ); + ExecReload = "${getExe' pkgs.coreutils "kill"} -SIGHUP $MAINPID"; + StateDirectory = "openbao"; + UMask = "0700"; + AmbientCapabilities = "cap_ipc_lock"; + KillSignal = "SIGINT"; + LimitCORE = 0; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectHome = "read-only"; + ProtectSystem = "full"; + Restart = "on-failure"; + TimeoutStopSec = "30s"; + }; + }; + }; + +} diff --git a/patches/default.nix b/patches/default.nix index 2c49d07..1c1631b 100644 --- a/patches/default.nix +++ b/patches/default.nix @@ -34,6 +34,11 @@ in # Kanidm memberless groups provisionning (local ./nixpkgs/07-kanidm-groups-module.patch) (local ./nixpkgs/08-kanidm-groups-pkgs.patch) + + # openbao: init at 2.0.3 + (npr 354366 "sha256-hnGmwmkGeGY6fwZ3L3HSvUX5A5ZpxgslzfmSs1UowdA=") + # openbao: 2.1.0 -> 2.1.1 + (npr 375706 "sha256-BQ4O/ub4tivf4cKb7flTpzC7T/4pIQuyEGOwfD12gco=") ]; "nixos-unstable" = [ -- 2.47.2 From a03164240ef13009d45097134679ebd1b3bbeebf Mon Sep 17 00:00:00 2001 From: Elias Coppens Date: Sun, 9 Mar 2025 00:40:36 +0100 Subject: [PATCH 2/2] feat(machines/storage01): init openbao Signed-off-by: Elias Coppens --- machines/nixos/storage01/_configuration.nix | 1 + machines/nixos/storage01/openbao.nix | 34 +++++++++++++++++++++ meta/dns.nix | 1 + 3 files changed, 36 insertions(+) create mode 100644 machines/nixos/storage01/openbao.nix diff --git a/machines/nixos/storage01/_configuration.nix b/machines/nixos/storage01/_configuration.nix index 4c480bc..1d21f96 100644 --- a/machines/nixos/storage01/_configuration.nix +++ b/machines/nixos/storage01/_configuration.nix @@ -20,6 +20,7 @@ lib.extra.mkConfig { "garage" "influxdb" "netbird" + "openbao" "peertube" "prometheus" "redirections" diff --git a/machines/nixos/storage01/openbao.nix b/machines/nixos/storage01/openbao.nix new file mode 100644 index 0000000..82b9978 --- /dev/null +++ b/machines/nixos/storage01/openbao.nix @@ -0,0 +1,34 @@ +# SPDX-FileCopyrightText: 2025 Elias Coppens +# +# SPDX-License-Identifier: EUPL-1.2 + +let + host = "vault.dgnum.eu"; + port = 3100; + clusterPort = 3101; +in + +{ + services.openbao = { + enable = true; + + settings = { + listener = { + tcp.address = "127.0.0.1:${builtins.toString port}"; + cluster_address = "0.0.0.0:${toString clusterPort}"; + }; + + storage.raft = { + path = "/var/lib/openbao/raft"; + node_id = "storage01"; + }; + + cluster_addr = "http://${host}:${toString clusterPort}"; + api_addr = "https://${host}"; + }; + }; + + dgn-web.simpleProxies.openbao = { + inherit host port; + }; +} diff --git a/meta/dns.nix b/meta/dns.nix index f548c54..f1c5515 100644 --- a/meta/dns.nix +++ b/meta/dns.nix @@ -110,6 +110,7 @@ let "victoria-metrics" # Victoria Metrics "videos" # Peertube "pub" + "vault" # OpenBao # Garage S3 "*.cdn" -- 2.47.2