feat(systems): inject systemd-openbao project

This brings the openbao agent, a Go proxy to make the link between systemd's LoadCredential and the openbao agent. All that remains is to configure authentication on every system we need to use OpenBao and then the templates for every secret we care about. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
feat(systems): trust our infra chain on all systems
2025-01-01 02:20:36 +01:00 · 2025-01-01 02:09:49 +01:00
5 changed files with 97 additions and 3 deletions
--- a/common/pki.nix
+++ b/common/pki.nix
@ -1,6 +1,6 @@
 {
-  # Trust our ICA2 CA chain certificate.
+  # Trust our infrastructure CA chain certificate.
  security.pki.certificateFiles = [
-    ../pki/ica2.crt
+    ../pki/infra.crt
  ];
 }
--- a/flake.lock
+++ b/flake.lock
@ -789,6 +789,7 @@
        "nixpkgs": "nixpkgs_2",
        "ofborg": "ofborg",
        "stateless-uptime-kuma": "stateless-uptime-kuma",
+        "systemd-openbao": "systemd-openbao",
        "terranix": "terranix"
      }
    },
@ -853,6 +854,22 @@
        "url": "https://git.dgnum.eu/DGNum/stateless-uptime-kuma.git"
      }
    },
+    "systemd-openbao": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1735694158,
+        "narHash": "sha256-n8cyDX5qitjTNFQ2+nUeOpqSkXREir9p2bSqOZZ5sLs=",
+        "ref": "refs/heads/main",
+        "rev": "2479c46b0fa892c4fdcd3e315f0cdfe096b5e71a",
+        "revCount": 160,
+        "type": "git",
+        "url": "https://git.lix.systems/the-distro/systemd-openbao.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.lix.systems/the-distro/systemd-openbao.git"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -41,6 +41,9 @@
    channel-scripts.inputs.nixpkgs.follows = "nixpkgs";
    channel-scripts.inputs.crane.inputs.attic.inputs.flake-compat.follows = "flake-compat";

+    systemd-openbao.url = "git+https://git.lix.systems/the-distro/systemd-openbao.git";
+    systemd-openbao.flake = false;
+
    stateless-uptime-kuma.url = "git+https://git.dgnum.eu/DGNum/stateless-uptime-kuma.git";
    stateless-uptime-kuma.flake = false;

@ -143,9 +146,13 @@
    terraformConfiguration = forEachSystem' ({ terraformCfg, ... }: terraformCfg);

    colmena = let
+      systemd-openbao = import inputs.systemd-openbao { };
      commonModules = [
        inputs.agenix.nixosModules.default
        inputs.hydra.nixosModules.hydra
+        systemd-openbao.nixosModules.openbaoAgent
+        systemd-openbao.nixosModules.systemdOpenBaod
+        systemd-openbao.nixosModules.openbaoSecrets
        inputs.buildbot-nix.nixosModules.buildbot-coordinator
        inputs.buildbot-nix.nixosModules.buildbot-worker

--- a/pki/cacerts/README.md
+++ b/pki/cacerts/README.md
@ -10,4 +10,8 @@ The chain from ICA1 to root CA.

 ## `ica2.crt`

-The chain from ICA2 to root CA (ICA2 → ICA → root CA), this is what you want to usually use to trust our PKI.
+The chain from ICA2 to root CA (ICA2 → ICA1 → root CA), this is what you want to usually use to trust our PKI, assuming you send any intermediate CAs.
+
+## `infra.crt`
+
+The chain from the infra CA to root CA (infra → ICA2 → ICA1 → root CA), this is what you want to trust for the infrastructure.
--- a/pki/cacerts/infra.crt
+++ b/pki/cacerts/infra.crt
@ -0,0 +1,66 @@
+-----BEGIN CERTIFICATE-----
+MIICbDCCAh6gAwIBAgIUfzoqAP1fiwDncDYJjtLvHQcjobQwBQYDK2VwMIGaMQsw
+CQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMRIwEAYDVQQHEwlEYXJtc3RhZHQx
+FzAVBgNVBAoTDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLEyRGbG9yYWwgU3lzdGVt
+cyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHjAcBgNVBAMTFUludGVybWVkaWF0ZSBD
+QTIgdjEuMTAeFw0yNTAxMDEwMTA3NDVaFw0yNjAxMDEwMTA4MTVaMIGoMQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMRIwEAYDVQQHEwlEYXJtc3RhZHQxFzAV
+BgNVBAoTDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLEyRGbG9yYWwgU3lzdGVtcyBD
+ZXJ0aWZpY2F0ZSBBdXRob3JpdHkxLDAqBgNVBAMTI0ludGVybWVkaWF0ZSBJbmZy
+YXN0cnVjdHVyZSBDQSB2MS4xMCowBQYDK2VwAyEAgE4pxQEoZ1nhYtBUoamCkJEZ
+VjnYABTm8iWSe4UPtdOjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG
+AQH/AgEAMB0GA1UdDgQWBBQyAkN71b8P9RTIIS8c8zpxmFpGaTAfBgNVHSMEGDAW
+gBS8G8fUlv8s+7AvikDnIS4j8bp7HjAFBgMrZXADQQC1mhYcFCc34g3Yu7I32Un1
+Ux60AnboO8eG+C8hGktxvBZNoGJ9uYjoyp+LwiAEa1NBLavPnOFFGATmCcCbGekA
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICXTCCAg+gAwIBAgIUcLJmuRVLSn7NRVKOJnLIcIjAKy0wBQYDK2VwMIGZMQsw
+CQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMRIwEAYDVQQHEwlEYXJtc3RhZHQx
+FzAVBgNVBAoTDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLEyRGbG9yYWwgU3lzdGVt
+cyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMTFEludGVybWVkaWF0ZSBD
+QTEgdjEgMB4XDTI0MTIzMTE2NTA0OVoXDTI1MTIzMTE2NTExOVowgZoxCzAJBgNV
+BAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xEjAQBgNVBAcTCURhcm1zdGFkdDEXMBUG
+A1UEChMORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsTJEZsb3JhbCBTeXN0ZW1zIENl
+cnRpZmljYXRlIEF1dGhvcml0eTEeMBwGA1UEAxMVSW50ZXJtZWRpYXRlIENBMiB2
+MS4xMCowBQYDK2VwAyEAlMaf5T/o39ZZmieNszDxjsVP06xb3IIV7ds+01g2pQij
+ZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW
+BBS8G8fUlv8s+7AvikDnIS4j8bp7HjAfBgNVHSMEGDAWgBRqxA1IFDZW0IULtTmj
+s6HdHnmL+zAFBgMrZXADQQDBLEUMedqJhNtRqEOY2NHsRdqhA5kvzDuYk+hUyCaQ
+VhLbW5+EfQL7vLkv8VihN7jlaRl+ngsfRBLK0LA4YJkB
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICrzCCAhKgAwIBAgIUUfC3HiC4wWFjkavirLxjTpVrxkcwCgYIKoZIzj0EAwIw
+gZsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1z
+dGFkdDEXMBUGA1UECgwORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsMJEZsb3JhbCBT
+eXN0ZW1zIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWRmxvcmFsIFN5
+c3RlbXMgUm9vdCBDQTAeFw0yNDEyMzExNjQ0MjJaFw0yNTAxMzAxNjQ0MjJaMIGZ
+MQswCQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMRIwEAYDVQQHEwlEYXJtc3Rh
+ZHQxFzAVBgNVBAoTDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLEyRGbG9yYWwgU3lz
+dGVtcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMTFEludGVybWVkaWF0
+ZSBDQTEgdjEgMCowBQYDK2VwAyEA/SgktXV6oQ4Bk5X9P0uAtX08g4hgdyYY/q+z
+0C+D9OujYzBhMB0GA1UdDgQWBBRqxA1IFDZW0IULtTmjs6HdHnmL+zAfBgNVHSME
+GDAWgBRlFXmiKsRTP5Jn0wTWH+rGMisrgTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
+DwEB/wQEAwIBhjAKBggqhkjOPQQDAgOBigAwgYYCQDgp6p7TvWOZmaC0WZHnVCeU
+AVJ1qSKjHRqnLUHAIBoPTvsEm1ActVcOYOyq5VxS7StirkULn7qWKzr2l67k5MYC
+QgG5sSKwP7vn+2B+/yNkBQTbHKyNZAQOg+tvPTwrmzmBzak3J1b2d4+qSkq9JEnZ
+uCAwXV3uHmNPlK4jgr4SHxwYKg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAoagAwIBAgIUHW9bhbgk6GXm5i+uamYWbInHDhkwCgYIKoZIzj0EAwQw
+gZsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1z
+dGFkdDEXMBUGA1UECgwORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsMJEZsb3JhbCBT
+eXN0ZW1zIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWRmxvcmFsIFN5
+c3RlbXMgUm9vdCBDQTAeFw0yNDEyMzAxMzEwMDlaFw0zNDEyMjgxMzEwMDlaMIGb
+MQswCQYDVQQGEwJERTEPMA0GA1UECAwGSGVzc2VuMRIwEAYDVQQHDAlEYXJtc3Rh
+ZHQxFzAVBgNVBAoMDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLDCRGbG9yYWwgU3lz
+dGVtcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFkZsb3JhbCBTeXN0
+ZW1zIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAD6xFA+QeHoUVZr
+WaDbfoUkELxnviEPLogl8+IgJ06ki+84yIAM3Zn+6IlmnJGoPaceoPIdYwHByWqf
+wvhvTobYRgB8T4l7vyt/KmMfkD2SU576syuR23PkJ6eImGklU3P1+H9CyU2BoPIg
+N21Kumx7GCvGAA8NsQyQVdZeLZ6lYjnCfaNjMGEwHQYDVR0OBBYEFGUVeaIqxFM/
+kmfTBNYf6sYyKyuBMB8GA1UdIwQYMBaAFGUVeaIqxFM/kmfTBNYf6sYyKyuBMA8G
+A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMEA4GLADCB
+hwJBLvw4lfu2efHxdkPZpddMe9wLrrOFwoeYMIJ4XN4qn8WwQCy4G0oXTKHzwm3y
+I82YwdK5r6tUtdoHhQ5BscrrnRsCQgGNejEZMet0lFgch1Dr2iunnsOEpdODtapD
+Jwp4PRUSTdlqk0C2GOWUtbcK2arZ/QexnqLAKhASuY/clqVZLLzHTw==
+-----END CERTIFICATE-----