feat(systems): inject systemd-openbao project

This brings the openbao agent, a Go proxy to make the link between systemd's LoadCredential and the openbao agent. All that remains is to configure authentication on every system we need to use OpenBao and then the templates for every secret we care about. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2025-01-01 02:20:36 +01:00 · 2025-01-01 02:20:36 +01:00 · 1a5e5a6adb
commit 1a5e5a6adb
parent 81cdc4698a
2 changed files with 24 additions and 0 deletions
--- a/flake.lock
+++ b/flake.lock
@ -789,6 +789,7 @@
        "nixpkgs": "nixpkgs_2",
        "ofborg": "ofborg",
        "stateless-uptime-kuma": "stateless-uptime-kuma",
+        "systemd-openbao": "systemd-openbao",
        "terranix": "terranix"
      }
    },
@ -853,6 +854,22 @@
        "url": "https://git.dgnum.eu/DGNum/stateless-uptime-kuma.git"
      }
    },
+    "systemd-openbao": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1735694158,
+        "narHash": "sha256-n8cyDX5qitjTNFQ2+nUeOpqSkXREir9p2bSqOZZ5sLs=",
+        "ref": "refs/heads/main",
+        "rev": "2479c46b0fa892c4fdcd3e315f0cdfe096b5e71a",
+        "revCount": 160,
+        "type": "git",
+        "url": "https://git.lix.systems/the-distro/systemd-openbao.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.lix.systems/the-distro/systemd-openbao.git"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -41,6 +41,9 @@
    channel-scripts.inputs.nixpkgs.follows = "nixpkgs";
    channel-scripts.inputs.crane.inputs.attic.inputs.flake-compat.follows = "flake-compat";

+    systemd-openbao.url = "git+https://git.lix.systems/the-distro/systemd-openbao.git";
+    systemd-openbao.flake = false;
+
    stateless-uptime-kuma.url = "git+https://git.dgnum.eu/DGNum/stateless-uptime-kuma.git";
    stateless-uptime-kuma.flake = false;

@ -143,9 +146,13 @@
    terraformConfiguration = forEachSystem' ({ terraformCfg, ... }: terraformCfg);

    colmena = let
+      systemd-openbao = import inputs.systemd-openbao { };
      commonModules = [
        inputs.agenix.nixosModules.default
        inputs.hydra.nixosModules.hydra
+        systemd-openbao.nixosModules.openbaoAgent
+        systemd-openbao.nixosModules.systemdOpenBaod
+        systemd-openbao.nixosModules.openbaoSecrets
        inputs.buildbot-nix.nixosModules.buildbot-coordinator
        inputs.buildbot-nix.nixosModules.buildbot-worker