commit a1f1ee14527dd324ac94d5819ab5583e5573cec2 · tangled.org/infra

+2

flake.nix

··· 83 83 tangled.nixosModules.spindle 84 84 ./hosts/nixery/configuration.nix 85 85 ./hosts/nixery/services/nginx.nix 86 + ./hosts/nixery/services/openbao/openbao.nix 87 + ./hosts/nixery/services/openbao/proxy.nix 86 88 ./hosts/nixery/services/nixery.nix 87 89 ]; 88 90 time.timeZone = "Europe/Helsinki";

+19

hosts/nixery/services/openbao/openbao.nix

··· 1 + { 2 + services.openbao = { 3 + enable = true; 4 + settings = { 5 + ui = true; 6 + 7 + listener.default = { 8 + type = "tcp"; 9 + address = "127.0.0.1:8201"; 10 + tls_disable = true; 11 + }; 12 + 13 + cluster_addr = "http://127.0.0.1:8202"; 14 + api_addr = "http://127.0.0.1:8201"; 15 + 16 + storage.raft.path = "/var/lib/openbao"; 17 + }; 18 + }; 19 + }

+126

hosts/nixery/services/openbao/proxy.nix

··· 1 + { pkgs, ... }: 2 + 3 + { 4 + systemd.services.openbao-proxy = { 5 + description = "OpenBao Proxy with Auto-Auth"; 6 + after = [ "network.target" ]; 7 + wantedBy = [ "multi-user.target" ]; 8 + serviceConfig = { 9 + ExecStart = "${pkgs.openbao}/bin/bao proxy -config=/etc/openbao/proxy.hcl"; 10 + Restart = "always"; 11 + RestartSec = "5"; 12 + User = "openbao"; 13 + Group = "openbao"; 14 + LimitNOFILE = "65536"; 15 + 16 + # Security hardening 17 + NoNewPrivileges = true; 18 + PrivateTmp = true; 19 + ProtectSystem = "strict"; 20 + ProtectHome = true; 21 + ReadWritePaths = [ "/var/lib/openbao" "/var/log/openbao" ]; 22 + 23 + # Set proper environment 24 + Environment = [ 25 + "VAULT_SKIP_VERIFY=true" 26 + "BAO_SKIP_VERIFY=true" 27 + "BAO_ADDR=http://127.0.0.1:8201" 28 + "HOME=/var/lib/openbao" 29 + ]; 30 + }; 31 + }; 32 + 33 + # Create openbao user and group 34 + users.users.openbao = { 35 + isSystemUser = true; 36 + group = "openbao"; 37 + home = "/var/lib/private/openbao"; 38 + createHome = true; 39 + }; 40 + 41 + users.groups.openbao = {}; 42 + 43 + environment.etc."openbao/proxy.hcl".text = '' 44 + # OpenBao server connection (local development) 45 + vault { 46 + address = "http://localhost:8200" 47 + 48 + # Retry configuration 49 + retry { 50 + num_retries = 5 51 + } 52 + } 53 + 54 + # Auto-Auth using AppRole 55 + auto_auth { 56 + method "approle" { 57 + mount_path = "auth/approle" 58 + config = { 59 + role_id_file_path = "/etc/openbao/role-id" 60 + secret_id_file_path = "/etc/openbao/secret-id" 61 + remove_secret_id_file_after_reading = false 62 + } 63 + } 64 + 65 + # Write authenticated token to file 66 + sink "file" { 67 + config = { 68 + path = "/var/lib/openbao/token" 69 + mode = 0640 70 + } 71 + } 72 + } 73 + 74 + # API Proxy listener for Spindle 75 + listener "tcp" { 76 + address = "127.0.0.1:8200" 77 + tls_disable = true 78 + 79 + # Security headers 80 + require_request_header = false 81 + 82 + # Enable proxy API for management 83 + proxy_api { 84 + enable_quit = true 85 + } 86 + } 87 + 88 + # Enable API proxy with auto-auth token 89 + api_proxy { 90 + use_auto_auth_token = true 91 + } 92 + 93 + cache { 94 + } 95 + 96 + # Logging configuration 97 + log_level = "info" 98 + log_format = "standard" 99 + log_file = "/var/log/openbao/proxy.log" 100 + log_rotate_duration = "24h" 101 + log_rotate_max_files = 30 102 + 103 + # Process management 104 + pid_file = "/var/lib/openbao/proxy.pid" 105 + 106 + # Disable idle connections for reliability 107 + disable_idle_connections = ["auto-auth", "proxying"] 108 + ''; 109 + 110 + # Create necessary directories and files 111 + systemd.tmpfiles.rules = [ 112 + # Directories 113 + "d /var/lib/openbao 0755 openbao openbao -" 114 + "d /var/lib/private/openbao 0755 openbao openbao -" 115 + "d /var/lib/openbao/cache 0755 openbao openbao -" 116 + "d /var/log/openbao 0755 openbao openbao -" 117 + "d /etc/openbao 0755 root root -" 118 + 119 + # Credential files (content must be populated externally) 120 + "f /etc/openbao/role-id 0600 openbao openbao -" 121 + "f /etc/openbao/secret-id 0600 openbao openbao -" 122 + 123 + # Configuration file 124 + "f /etc/openbao/proxy.hcl 0644 root root -" 125 + ]; 126 + }