feat(secrets): further adapt to openbao

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
main
Raito Bezarius 3 months ago
parent 0738463c27
commit 41e83f4b39

@ -17,6 +17,7 @@
nixosModules = {
openbaoAgent = ./nix/modules/openbao-agent.nix;
systemdOpenBaod = ./nix/modules/systemd-openbaod.nix;
openbaoSecrets = ./nix/modules/openbao-secrets.nix;
};
shell = pkgs.mkShellNoCC {

@ -45,7 +45,7 @@ let
getSecretTemplate = serviceName: vaultConfig:
{
contents = vaultConfig.template;
destination = "/run/systemd-vaultd/secrets/${serviceName}.service.json";
destination = "/run/systemd-openbaod/secrets/${serviceName}.service.json";
perms = "0400";
}
// templateExec serviceName vaultConfig;
@ -53,7 +53,7 @@ let
getEnvironmentTemplate = serviceName: vaultConfig:
{
contents = vaultConfig.environmentTemplate;
destination = "/run/systemd-vaultd/secrets/${serviceName}.service.EnvironmentFile";
destination = "/run/systemd-openbaod/secrets/${serviceName}.service.EnvironmentFile";
perms = "0400";
}
// templateExec serviceName vaultConfig;
@ -141,8 +141,8 @@ in
bindsTo = mkIfHasEnv [ "${serviceName}-envfile.service" ];
serviceConfig = {
LoadCredential = mkIfHasSecret (lib.mapAttrsToList (_: config: "${config.name}:/run/systemd-vaultd/sock") config.vault.secrets);
EnvironmentFile = mkIfHasEnv [ "/run/systemd-vaultd/secrets/${serviceName}.service.EnvironmentFile" ];
LoadCredential = mkIfHasSecret (lib.mapAttrsToList (_: config: "${config.name}:/run/systemd-openbaod/sock") config.vault.secrets);
EnvironmentFile = mkIfHasEnv [ "/run/systemd-openbaod/secrets/${serviceName}.service.EnvironmentFile" ];
};
};
}));
@ -173,14 +173,14 @@ in
Before=${service}.service
BindsTo=${service}.service
StopPropagatedFrom=${service}.service
After=systemd-vaultd.socket
Requires=systemd-vaultd.socket
After=systemd-openbaod.socket
Requires=systemd-openbaod.socket
[Service]
Type=oneshot
ExecStart=${pkgs.coreutils}/bin/true
RemainAfterExit=true
LoadCredential=${service}.service.EnvironmentFile:/run/systemd-vaultd/sock
LoadCredential=${service}.service.EnvironmentFile:/run/systemd-openbaod/sock
[Install]
WantedBy=${service}.service

@ -8,7 +8,7 @@ let
in
{
imports = [
./vault-secrets.nix
./openbao-secrets.nix
];
options = {
services.systemd-openbaod = {

Loading…
Cancel
Save