feat(secrets): further adapt to openbao

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

default.nix

@@ -17,6 +17,7 @@
   nixosModules = {
     openbaoAgent = ./nix/modules/openbao-agent.nix;
     systemdOpenBaod = ./nix/modules/systemd-openbaod.nix;
+    openbaoSecrets = ./nix/modules/openbao-secrets.nix;
   };
 
   shell = pkgs.mkShellNoCC {

nix/modules/openbao-secrets.nix

@@ -45,7 +45,7 @@ let
   getSecretTemplate = serviceName: vaultConfig:
     {
       contents = vaultConfig.template;
-      destination = "/run/systemd-vaultd/secrets/${serviceName}.service.json";
+      destination = "/run/systemd-openbaod/secrets/${serviceName}.service.json";
       perms = "0400";
     }
     // templateExec serviceName vaultConfig;
@@ -53,7 +53,7 @@ let
   getEnvironmentTemplate = serviceName: vaultConfig:
     {
       contents = vaultConfig.environmentTemplate;
-      destination = "/run/systemd-vaultd/secrets/${serviceName}.service.EnvironmentFile";
+      destination = "/run/systemd-openbaod/secrets/${serviceName}.service.EnvironmentFile";
       perms = "0400";
     }
     // templateExec serviceName vaultConfig;
@@ -141,8 +141,8 @@ in
               bindsTo = mkIfHasEnv [ "${serviceName}-envfile.service" ];
 
               serviceConfig = {
-                LoadCredential = mkIfHasSecret (lib.mapAttrsToList (_: config: "${config.name}:/run/systemd-vaultd/sock") config.vault.secrets);
+                LoadCredential = mkIfHasSecret (lib.mapAttrsToList (_: config: "${config.name}:/run/systemd-openbaod/sock") config.vault.secrets);
-                EnvironmentFile = mkIfHasEnv [ "/run/systemd-vaultd/secrets/${serviceName}.service.EnvironmentFile" ];
+                EnvironmentFile = mkIfHasEnv [ "/run/systemd-openbaod/secrets/${serviceName}.service.EnvironmentFile" ];
               };
             };
         }));
@@ -173,14 +173,14 @@ in
               Before=${service}.service
               BindsTo=${service}.service
               StopPropagatedFrom=${service}.service
-              After=systemd-vaultd.socket
+              After=systemd-openbaod.socket
-              Requires=systemd-vaultd.socket
+              Requires=systemd-openbaod.socket
 
               [Service]
               Type=oneshot
               ExecStart=${pkgs.coreutils}/bin/true
               RemainAfterExit=true
-              LoadCredential=${service}.service.EnvironmentFile:/run/systemd-vaultd/sock
+              LoadCredential=${service}.service.EnvironmentFile:/run/systemd-openbaod/sock
 
               [Install]
               WantedBy=${service}.service

nix/modules/systemd-openbaod.nix

@@ -8,7 +8,7 @@ let
 in
 {
   imports = [
-    ./vault-secrets.nix
+    ./openbao-secrets.nix
   ];
   options = {
     services.systemd-openbaod = {