From c5f5ce1fe3184340d4f9d787eb5810f651646113 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Tue, 22 Oct 2024 18:01:53 +0200
Subject: [PATCH] feat(secrets): further adapt to openbao

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
 default.nix                                        |  1 +
 .../{vault-secrets.nix => openbao-secrets.nix}     | 14 +++++++-------
 2 files changed, 8 insertions(+), 7 deletions(-)
 rename nix/modules/{vault-secrets.nix => openbao-secrets.nix} (92%)

diff --git a/default.nix b/default.nix
index dce8550..28badc8 100644
--- a/default.nix
+++ b/default.nix
@@ -17,6 +17,7 @@
   nixosModules = {
     openbaoAgent = ./nix/modules/openbao-agent.nix;
     systemdOpenBaod = ./nix/modules/systemd-openbaod.nix;
+    openbaoSecrets = ./nix/modules/openbao-secrets.nix;
   };
 
   shell = pkgs.mkShellNoCC {
diff --git a/nix/modules/vault-secrets.nix b/nix/modules/openbao-secrets.nix
similarity index 92%
rename from nix/modules/vault-secrets.nix
rename to nix/modules/openbao-secrets.nix
index 0f3c30b..c0d11e2 100644
--- a/nix/modules/vault-secrets.nix
+++ b/nix/modules/openbao-secrets.nix
@@ -45,7 +45,7 @@ let
   getSecretTemplate = serviceName: vaultConfig:
     {
       contents = vaultConfig.template;
-      destination = "/run/systemd-vaultd/secrets/${serviceName}.service.json";
+      destination = "/run/systemd-openbaod/secrets/${serviceName}.service.json";
       perms = "0400";
     }
     // templateExec serviceName vaultConfig;
@@ -53,7 +53,7 @@ let
   getEnvironmentTemplate = serviceName: vaultConfig:
     {
       contents = vaultConfig.environmentTemplate;
-      destination = "/run/systemd-vaultd/secrets/${serviceName}.service.EnvironmentFile";
+      destination = "/run/systemd-openbaod/secrets/${serviceName}.service.EnvironmentFile";
       perms = "0400";
     }
     // templateExec serviceName vaultConfig;
@@ -141,8 +141,8 @@ in
               bindsTo = mkIfHasEnv [ "${serviceName}-envfile.service" ];
 
               serviceConfig = {
-                LoadCredential = mkIfHasSecret (lib.mapAttrsToList (_: config: "${config.name}:/run/systemd-vaultd/sock") config.vault.secrets);
-                EnvironmentFile = mkIfHasEnv [ "/run/systemd-vaultd/secrets/${serviceName}.service.EnvironmentFile" ];
+                LoadCredential = mkIfHasSecret (lib.mapAttrsToList (_: config: "${config.name}:/run/systemd-openbaod/sock") config.vault.secrets);
+                EnvironmentFile = mkIfHasEnv [ "/run/systemd-openbaod/secrets/${serviceName}.service.EnvironmentFile" ];
               };
             };
         }));
@@ -173,14 +173,14 @@ in
               Before=${service}.service
               BindsTo=${service}.service
               StopPropagatedFrom=${service}.service
-              After=systemd-vaultd.socket
-              Requires=systemd-vaultd.socket
+              After=systemd-openbaod.socket
+              Requires=systemd-openbaod.socket
 
               [Service]
               Type=oneshot
               ExecStart=${pkgs.coreutils}/bin/true
               RemainAfterExit=true
-              LoadCredential=${service}.service.EnvironmentFile:/run/systemd-vaultd/sock
+              LoadCredential=${service}.service.EnvironmentFile:/run/systemd-openbaod/sock
 
               [Install]
               WantedBy=${service}.service