tangled.org / infra
Tangled infrastructure definitions in Nix
fork atom

fix openbao infra

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.sh>

anirudh.fi b3f4fbff a01bea2f

verified
options
unified split
Changed files
+7 -29
hosts
nixery
services
openbao
proxy.nix
+7 -29
hosts/nixery/services/openbao/proxy.nix
··· 6 6 after = [ "network.target" ]; 7 7 wantedBy = [ "multi-user.target" ]; 8 8 serviceConfig = { 9 + User = "root"; 9 10 ExecStart = "${pkgs.openbao}/bin/bao proxy -config=/etc/openbao/proxy.hcl"; 10 11 Restart = "always"; 11 12 RestartSec = "5"; 12 - User = "openbao"; 13 - Group = "openbao"; 14 13 LimitNOFILE = "65536"; 15 - 16 - # Security hardening 17 - NoNewPrivileges = true; 18 - LogsDirectory = "openbao"; 19 - StateDirectory = "openbao"; 20 - 21 - # Set proper environment 22 - Environment = [ 23 - "VAULT_SKIP_VERIFY=true" 24 - "BAO_SKIP_VERIFY=true" 25 - "BAO_ADDR=http://127.0.0.1:8201" 26 - ]; 27 14 }; 28 15 }; 29 16 30 - # Create openbao user and group 31 - users.users.openbao = { 32 - isSystemUser = true; 33 - group = "openbao"; 34 - home = "/var/lib/private/openbao"; 35 - createHome = true; 36 - }; 37 17 38 - users.groups.openbao = {}; 39 18 40 19 environment.etc."openbao/proxy.hcl".text = '' 41 - # OpenBao server connection (local development) 42 20 vault { 43 - address = "http://localhost:8200" 21 + address = "http://localhost:8201" 44 22 45 23 # Retry configuration 46 24 retry { ··· 107 85 # Create necessary directories and files 108 86 systemd.tmpfiles.rules = [ 109 87 # Directories 110 - "d /var/lib/openbao/cache 0755 openbao openbao -" 88 + "d /var/lib/openbao 0755 root root -" 89 + "d /var/lib/openbao/cache 0755 root root -" 90 + "d /var/log/openbao 0755 root root -" 111 91 "d /etc/openbao 0755 root root -" 112 - "f /var/lib/openbao/token 0640 openbao openbao -" 113 92 114 93 # Credential files (content must be populated externally) 115 - "f /etc/openbao/role-id 0600 openbao openbao -" 116 - "f /etc/openbao/secret-id 0600 openbao openbao -" 94 + "f /etc/openbao/role-id 0600 root root -" 95 + "f /etc/openbao/secret-id 0600 root root -" 117 96 118 97 # Configuration file 119 98 "f /etc/openbao/proxy.hcl 0644 root root -" 120 - "f /var/lib/private/openbao/.bao 0644 openbao openbao -" 121 99 ]; 122 100 }