tangled.org / infra
Tangled infrastructure definitions in Nix
fork atom

fix openbao infra

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.sh>

anirudh.fi b3f4fbff a01bea2f

verified
options
unified split
Changed files
+7 -29
hosts
nixery
services
openbao
proxy.nix
+7 -29
hosts/nixery/services/openbao/proxy.nix
··· 6 after = [ "network.target" ]; 7 wantedBy = [ "multi-user.target" ]; 8 serviceConfig = { 9 ExecStart = "${pkgs.openbao}/bin/bao proxy -config=/etc/openbao/proxy.hcl"; 10 Restart = "always"; 11 RestartSec = "5"; 12 - User = "openbao"; 13 - Group = "openbao"; 14 LimitNOFILE = "65536"; 15 - 16 - # Security hardening 17 - NoNewPrivileges = true; 18 - LogsDirectory = "openbao"; 19 - StateDirectory = "openbao"; 20 - 21 - # Set proper environment 22 - Environment = [ 23 - "VAULT_SKIP_VERIFY=true" 24 - "BAO_SKIP_VERIFY=true" 25 - "BAO_ADDR=http://127.0.0.1:8201" 26 - ]; 27 }; 28 }; 29 30 - # Create openbao user and group 31 - users.users.openbao = { 32 - isSystemUser = true; 33 - group = "openbao"; 34 - home = "/var/lib/private/openbao"; 35 - createHome = true; 36 - }; 37 38 - users.groups.openbao = {}; 39 40 environment.etc."openbao/proxy.hcl".text = '' 41 - # OpenBao server connection (local development) 42 vault { 43 - address = "http://localhost:8200" 44 45 # Retry configuration 46 retry { ··· 107 # Create necessary directories and files 108 systemd.tmpfiles.rules = [ 109 # Directories 110 - "d /var/lib/openbao/cache 0755 openbao openbao -" 111 "d /etc/openbao 0755 root root -" 112 - "f /var/lib/openbao/token 0640 openbao openbao -" 113 114 # Credential files (content must be populated externally) 115 - "f /etc/openbao/role-id 0600 openbao openbao -" 116 - "f /etc/openbao/secret-id 0600 openbao openbao -" 117 118 # Configuration file 119 "f /etc/openbao/proxy.hcl 0644 root root -" 120 - "f /var/lib/private/openbao/.bao 0644 openbao openbao -" 121 ]; 122 }
··· 6 after = [ "network.target" ]; 7 wantedBy = [ "multi-user.target" ]; 8 serviceConfig = { 9 + User = "root"; 10 ExecStart = "${pkgs.openbao}/bin/bao proxy -config=/etc/openbao/proxy.hcl"; 11 Restart = "always"; 12 RestartSec = "5"; 13 LimitNOFILE = "65536"; 14 }; 15 }; 16 17 18 19 environment.etc."openbao/proxy.hcl".text = '' 20 vault { 21 + address = "http://localhost:8201" 22 23 # Retry configuration 24 retry { ··· 85 # Create necessary directories and files 86 systemd.tmpfiles.rules = [ 87 # Directories 88 + "d /var/lib/openbao 0755 root root -" 89 + "d /var/lib/openbao/cache 0755 root root -" 90 + "d /var/log/openbao 0755 root root -" 91 "d /etc/openbao 0755 root root -" 92 93 # Credential files (content must be populated externally) 94 + "f /etc/openbao/role-id 0600 root root -" 95 + "f /etc/openbao/secret-id 0600 root root -" 96 97 # Configuration file 98 "f /etc/openbao/proxy.hcl 0644 root root -" 99 ]; 100 }