DGNum/infrastructure
11
6
Fork 2
Code Issues 22 Pull requests 20 Projects 1 Releases Packages Wiki Activity Actions

feat(storage01): init openbao #327

Merged
thubrecht merged 2 commits from openbao into main 2025-03-11 12:01:05 +01:00
Conversation 0 Commits 2 Files changed 6 +158
6 changed files with 158 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
machines/nixos/storage01/_configuration.nix
View file

@ -20,6 +20,7 @@ lib.extra.mkConfig {
"garage" "garage"
"influxdb" "influxdb"
"netbird" "netbird"
"openbao"
"peertube" "peertube"
"prometheus" "prometheus"
"redirections" "redirections"

34
machines/nixos/storage01/openbao.nix Normal file
View file

@ -0,0 +1,34 @@
# SPDX-FileCopyrightText: 2025 Elias Coppens <elias.coppens@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
host = "vault.dgnum.eu";
port = 3100;
clusterPort = 3101;
in
{
services.openbao = {
enable = true;
settings = {
listener = {
tcp.address = "127.0.0.1:${builtins.toString port}";
cluster_address = "0.0.0.0:${toString clusterPort}";
};
storage.raft = {
path = "/var/lib/openbao/raft";
node_id = "storage01";
};
cluster_addr = "http://${host}:${toString clusterPort}";
api_addr = "https://${host}";
};
};
dgn-web.simpleProxies.openbao = {
inherit host port;
};
}

1
meta/dns.nix
View file

@ -110,6 +110,7 @@ let
"victoria-metrics" # Victoria Metrics "victoria-metrics" # Victoria Metrics
"videos" # Peertube "videos" # Peertube
"pub" "pub"
"vault" # OpenBao
# Garage S3 # Garage S3
"*.cdn" "*.cdn"

1
modules/nixos/default.nix
View file

@ -35,6 +35,7 @@
"dgn-web" "dgn-web"
"django-apps" "django-apps"
"extranix" "extranix"
"openbao"
]) ])
++ [ ++ [
"${sources.agenix}/modules/age.nix" "${sources.agenix}/modules/age.nix"

116
modules/nixos/openbao/default.nix Normal file
View file

@ -0,0 +1,116 @@
# SPDX-FileCopyrightText: 2025 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: MIT
{
config,
lib,
pkgs,
utils,
...
}:
let
inherit (lib)
getExe
getExe'
hasAttrByPath
mkEnableOption
mkIf
mkOption
mkPackageOption
optional
;
inherit (lib.types) listOf str submodule;
inherit (utils) escapeSystemdExecArgs genJqSecretsReplacementSnippet;
settingsFormat = pkgs.formats.json { };
cfg = config.services.openbao;
in
{
options = {
services.openbao = {
enable = mkEnableOption "OpenBao daemon";
package = mkPackageOption pkgs "openbao" { };
settings = mkOption {
description = ''
Settings of OpenBao.
See [documentation](https://openbao.org/docs/configuration/) for more details.
'';
type = submodule {
freeformType = settingsFormat.type;
options = {
listener.tcp.address = mkOption {
type = str;
default = "127.0.0.1:8200";
description = ''
The address the OpenBao daemon will listen to.
'';
};
};
};
};
extraArgs = mkOption {
type = listOf str;
default = [ ];
description = ''
Additional arguments given to OpenBao
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.openbao ];
systemd.services.openbao = {
description = "OpenBao server daemon";
wantedBy = [ "multi-user.target" ];
after =
[ "network.target" ]
++ optional (
config.services.consul.enable && (hasAttrByPath [ "storage" "consul" ] cfg.settings)
) "consul.service";
restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.
preStart = genJqSecretsReplacementSnippet (settingsFormat.generate "openbao-settings.json" cfg.settings) "/var/lib/openbao/config.json";
startLimitIntervalSec = 60;
startLimitBurst = 3;
serviceConfig = {
DynamicUser = true;
ExecStart = escapeSystemdExecArgs (
[
(getExe cfg.package)
"server"
"-config"
"/var/lib/openbao/config.json"
]
++ cfg.extraArgs
);
ExecReload = "${getExe' pkgs.coreutils "kill"} -SIGHUP $MAINPID";
StateDirectory = "openbao";
UMask = "0700";
AmbientCapabilities = "cap_ipc_lock";
KillSignal = "SIGINT";
LimitCORE = 0;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectHome = "read-only";
ProtectSystem = "full";
Restart = "on-failure";
TimeoutStopSec = "30s";
};
};
};
}

5
patches/default.nix
View file

@ -34,6 +34,11 @@ in
# Kanidm memberless groups provisionning # Kanidm memberless groups provisionning
(local ./nixpkgs/07-kanidm-groups-module.patch) (local ./nixpkgs/07-kanidm-groups-module.patch)
(local ./nixpkgs/08-kanidm-groups-pkgs.patch) (local ./nixpkgs/08-kanidm-groups-pkgs.patch)
# openbao: init at 2.0.3
(npr 354366 "sha256-hnGmwmkGeGY6fwZ3L3HSvUX5A5ZpxgslzfmSs1UowdA=")
# openbao: 2.1.0 -> 2.1.1
(npr 375706 "sha256-BQ4O/ub4tivf4cKb7flTpzC7T/4pIQuyEGOwfD12gco=")
]; ];
"nixos-unstable" = [ "nixos-unstable" = [