DGNum/infrastructure
11
6
Fork 2
Code Issues 22 Pull requests 19 Projects 1 Releases Packages Wiki Activity Actions

feat(storage01): init openbao #327

Merged
thubrecht merged 2 commits from openbao into main 2025-03-11 12:01:05 +01:00
Conversation 0 Commits 2 Files changed 6 +158
6 changed files with 158 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
machines/nixos/storage01/_configuration.nix
View file

@ -20,6 +20,7 @@ lib.extra.mkConfig {
"garage"
"influxdb"
"netbird"
"openbao"
"peertube"
"prometheus"
"redirections"

34
machines/nixos/storage01/openbao.nix Normal file
View file

@ -0,0 +1,34 @@
# SPDX-FileCopyrightText: 2025 Elias Coppens <elias.coppens@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
host = "vault.dgnum.eu";
port = 3100;
clusterPort = 3101;
in
{
services.openbao = {
enable = true;
settings = {
listener = {
tcp.address = "127.0.0.1:${builtins.toString port}";
cluster_address = "0.0.0.0:${toString clusterPort}";
};
storage.raft = {
path = "/var/lib/openbao/raft";
node_id = "storage01";
};
cluster_addr = "http://${host}:${toString clusterPort}";
api_addr = "https://${host}";
};
};
dgn-web.simpleProxies.openbao = {
inherit host port;
};
}

1
meta/dns.nix
View file

@ -110,6 +110,7 @@ let
"victoria-metrics" # Victoria Metrics
"videos" # Peertube
"pub"
"vault" # OpenBao
# Garage S3
"*.cdn"

1
modules/nixos/default.nix
View file

@ -35,6 +35,7 @@
"dgn-web"
"django-apps"
"extranix"
"openbao"
])
++ [
"${sources.agenix}/modules/age.nix"

116
modules/nixos/openbao/default.nix Normal file
View file

@ -0,0 +1,116 @@
# SPDX-FileCopyrightText: 2025 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: MIT
{
config,
lib,
ecoppens marked this conversation as resolved Outdated
thubrecht commented 2025-03-10 20:54:00 +01:00
Outdated
Review
Copy link

???
Si y'a rien de plus que ça met direct le module en default.nix

??? Si y'a rien de plus que ça met direct le module en default.nix
pkgs,
utils,
...
}:
let
inherit (lib)
getExe
getExe'
hasAttrByPath
mkEnableOption
mkIf
mkOption
mkPackageOption
optional
;
inherit (lib.types) listOf str submodule;
inherit (utils) escapeSystemdExecArgs genJqSecretsReplacementSnippet;
ecoppens marked this conversation as resolved Outdated
thubrecht commented 2025-03-11 08:21:36 +01:00
Outdated
Review
Copy link
inherit (lib.types) ...

Avec la liste des types que tu utilises et tu enlèves types. dans la définition des options.

```nix inherit (lib.types) ... ``` Avec la liste des types que tu utilises et tu enlèves `types.` dans la définition des options.
settingsFormat = pkgs.formats.json { };
cfg = config.services.openbao;
in
ecoppens marked this conversation as resolved Outdated
thubrecht commented 2025-03-11 08:23:26 +01:00
Outdated
Review
Copy link
  settingsFormat = pkgs.formats.json { };
```nix settingsFormat = pkgs.formats.json { }; ```
{
options = {
services.openbao = {
enable = mkEnableOption "OpenBao daemon";
package = mkPackageOption pkgs "openbao" { };
settings = mkOption {
description = ''
Settings of OpenBao.
See [documentation](https://openbao.org/docs/configuration/) for more details.
'';
type = submodule {
freeformType = settingsFormat.type;
options = {
listener.tcp.address = mkOption {
type = str;
default = "127.0.0.1:8200";
description = ''
The address the OpenBao daemon will listen to.
'';
};
};
};
};
extraArgs = mkOption {
type = listOf str;
default = [ ];
description = ''
Additional arguments given to OpenBao
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.openbao ];
systemd.services.openbao = {
description = "OpenBao server daemon";
ecoppens marked this conversation as resolved Outdated
thubrecht commented 2025-03-11 08:31:29 +01:00
Outdated
Review
Copy link

À remplacer avec l'option settings

À remplacer avec l'option `settings`
wantedBy = [ "multi-user.target" ];
after =
[ "network.target" ]
++ optional (
config.services.consul.enable && (hasAttrByPath [ "storage" "consul" ] cfg.settings)
) "consul.service";
restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.
preStart = genJqSecretsReplacementSnippet (settingsFormat.generate "openbao-settings.json" cfg.settings) "/var/lib/openbao/config.json";
startLimitIntervalSec = 60;
startLimitBurst = 3;
serviceConfig = {
DynamicUser = true;
ExecStart = escapeSystemdExecArgs (
[
(getExe cfg.package)
"server"
"-config"
"/var/lib/openbao/config.json"
]
++ cfg.extraArgs
);
ExecReload = "${getExe' pkgs.coreutils "kill"} -SIGHUP $MAINPID";
StateDirectory = "openbao";
UMask = "0700";
AmbientCapabilities = "cap_ipc_lock";
KillSignal = "SIGINT";
LimitCORE = 0;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectHome = "read-only";
ProtectSystem = "full";
Restart = "on-failure";
TimeoutStopSec = "30s";
};
};
};
}

5
patches/default.nix
View file

@ -34,6 +34,11 @@ in
# Kanidm memberless groups provisionning
(local ./nixpkgs/07-kanidm-groups-module.patch)
(local ./nixpkgs/08-kanidm-groups-pkgs.patch)
# openbao: init at 2.0.3
(npr 354366 "sha256-hnGmwmkGeGY6fwZ3L3HSvUX5A5ZpxgslzfmSs1UowdA=")
# openbao: 2.1.0 -> 2.1.1
ecoppens marked this conversation as resolved Outdated
thubrecht commented 2025-03-11 08:06:31 +01:00
Outdated
Review
Copy link

Comme j'ai dit dans la conv, il faut utiliser npr plutôt:

    #  openbao: init at 2.0.3
    (npr 354366 "sha256-hnGmwmkGeGY6fwZ3L3HSvUX5A5ZpxgslzfmSs1UowdA=")
    #  openbao: 2.1.0 -> 2.1.1
    (npr 375706 "sha256-BQ4O/ub4tivf4cKb7flTpzC7T/4pIQuyEGOwfD12gco=")
Comme j'ai dit dans la conv, il faut utiliser `npr` plutôt: ```nix # openbao: init at 2.0.3 (npr 354366 "sha256-hnGmwmkGeGY6fwZ3L3HSvUX5A5ZpxgslzfmSs1UowdA=") # openbao: 2.1.0 -> 2.1.1 (npr 375706 "sha256-BQ4O/ub4tivf4cKb7flTpzC7T/4pIQuyEGOwfD12gco=") ```
(npr 375706 "sha256-BQ4O/ub4tivf4cKb7flTpzC7T/4pIQuyEGOwfD12gco=")
];
"nixos-unstable" = [