From 9e07182d3e584fd778804a9a45d10a3bdb05b3b3 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 20 Oct 2024 22:27:30 +0200 Subject: [PATCH] feat(proxy): further adapt to openbao Signed-off-by: Raito Bezarius --- default.nix | 1 + nix/modules/systemd-openbaod.nix | 48 ++++++++++++++++++++++++++++++++ nix/modules/systemd-vaultd.nix | 48 -------------------------------- 3 files changed, 49 insertions(+), 48 deletions(-) create mode 100644 nix/modules/systemd-openbaod.nix delete mode 100644 nix/modules/systemd-vaultd.nix diff --git a/default.nix b/default.nix index 4c61f00..dce8550 100644 --- a/default.nix +++ b/default.nix @@ -10,6 +10,7 @@ license = licenses.mit; maintainers = with maintainers; [ raitobezarius ]; platforms = platforms.unix; + mainProgram = "systemd-openbaod"; }; }; diff --git a/nix/modules/systemd-openbaod.nix b/nix/modules/systemd-openbaod.nix new file mode 100644 index 0000000..f887395 --- /dev/null +++ b/nix/modules/systemd-openbaod.nix @@ -0,0 +1,48 @@ +{ pkgs +, lib +, config +, ... +}: +let + systemd-vaultd = (pkgs.callPackage ../../default.nix { }).package; +in +{ + imports = [ + ./vault-secrets.nix + ]; + options = { + services.systemd-openbaod = { + package = lib.mkOption { + type = lib.types.package; + default = systemd-vaultd; + defaultText = "pkgs.systemd-openbaod"; + description = '' + The package to use for systemd-openbaod + ''; + }; + }; + }; + + config = { + systemd.sockets.systemd-openbaod = { + description = "systemd-openbaod socket"; + wantedBy = [ "sockets.target" ]; + + socketConfig = { + ListenStream = "/run/systemd-openbaod/sock"; + SocketUser = "root"; + SocketMode = "0600"; + }; + }; + systemd.services.systemd-openbaod = { + description = "systemd-openbaod daemon"; + requires = [ "systemd-openbaod.socket" ]; + after = [ "systemd-openbaod.socket" ]; + # Restarting can break services waiting for secrets + stopIfChanged = false; + serviceConfig = { + ExecStart = lib.getExe config.services.systemd-openbaod.package; + }; + }; + }; +} diff --git a/nix/modules/systemd-vaultd.nix b/nix/modules/systemd-vaultd.nix deleted file mode 100644 index aa8e7ef..0000000 --- a/nix/modules/systemd-vaultd.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ pkgs -, lib -, config -, ... -}: -let - systemd-vaultd = pkgs.callPackage ../../default.nix { }; -in -{ - imports = [ - ./vault-secrets.nix - ]; - options = { - services.systemd-vaultd = { - package = lib.mkOption { - type = lib.types.package; - default = systemd-vaultd; - defaultText = "pkgs.systemd-vaultd"; - description = '' - The package to use for systemd-vaultd - ''; - }; - }; - }; - - config = { - systemd.sockets.systemd-vaultd = { - description = "systemd-vaultd socket"; - wantedBy = [ "sockets.target" ]; - - socketConfig = { - ListenStream = "/run/systemd-vaultd/sock"; - SocketUser = "root"; - SocketMode = "0600"; - }; - }; - systemd.services.systemd-vaultd = { - description = "systemd-vaultd daemon"; - requires = [ "systemd-vaultd.socket" ]; - after = [ "systemd-vaultd.socket" ]; - # Restarting can break services waiting for secrets - stopIfChanged = false; - serviceConfig = { - ExecStart = "${config.services.systemd-vaultd.package}/bin/systemd-vaultd"; - }; - }; - }; -}