{ pkgs , lib , config , ... }: let systemd-vaultd = (pkgs.callPackage ../../default.nix { }).package; in { imports = [ ./openbao-secrets.nix ]; options = { services.systemd-openbaod = { package = lib.mkOption { type = lib.types.package; default = systemd-vaultd; defaultText = "pkgs.systemd-openbaod"; description = '' The package to use for systemd-openbaod ''; }; }; }; config = { systemd.sockets.systemd-openbaod = { description = "systemd-openbaod socket"; wantedBy = [ "sockets.target" ]; socketConfig = { ListenStream = "/run/systemd-openbaod/sock"; SocketUser = "root"; SocketMode = "0600"; }; }; systemd.services.systemd-openbaod = { description = "systemd-openbaod daemon"; requires = [ "systemd-openbaod.socket" ]; after = [ "systemd-openbaod.socket" ]; # Restarting can break services waiting for secrets stopIfChanged = false; serviceConfig = { ExecStart = lib.getExe config.services.systemd-openbaod.package; }; }; }; }