tangled.org / infra
Tangled infrastructure definitions in Nix
fork atom

openbao: more noodling

Signed-off-by: oppiliappan <me@oppi.li>

oppi.li a01bea2f a1f1ee14

verified
options
unified split
Changed files
+4 -8
hosts
nixery
services
openbao
proxy.nix
+4 -8
hosts/nixery/services/openbao/proxy.nix
··· 15 15 16 16 # Security hardening 17 17 NoNewPrivileges = true; 18 - PrivateTmp = true; 19 - ProtectSystem = "strict"; 20 - ProtectHome = true; 21 - ReadWritePaths = [ "/var/lib/openbao" "/var/log/openbao" ]; 18 + LogsDirectory = "openbao"; 19 + StateDirectory = "openbao"; 22 20 23 21 # Set proper environment 24 22 Environment = [ 25 23 "VAULT_SKIP_VERIFY=true" 26 24 "BAO_SKIP_VERIFY=true" 27 25 "BAO_ADDR=http://127.0.0.1:8201" 28 - "HOME=/var/lib/openbao" 29 26 ]; 30 27 }; 31 28 }; ··· 110 107 # Create necessary directories and files 111 108 systemd.tmpfiles.rules = [ 112 109 # Directories 113 - "d /var/lib/openbao 0755 openbao openbao -" 114 - "d /var/lib/private/openbao 0755 openbao openbao -" 115 110 "d /var/lib/openbao/cache 0755 openbao openbao -" 116 - "d /var/log/openbao 0755 openbao openbao -" 117 111 "d /etc/openbao 0755 root root -" 112 + "f /var/lib/openbao/token 0640 openbao openbao -" 118 113 119 114 # Credential files (content must be populated externally) 120 115 "f /etc/openbao/role-id 0600 openbao openbao -" ··· 122 117 123 118 # Configuration file 124 119 "f /etc/openbao/proxy.hcl 0644 root root -" 120 + "f /var/lib/private/openbao/.bao 0644 openbao openbao -" 125 121 ]; 126 122 }