ptr.pet / ark
this repo has no description
4
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat(wolumonde): setup openbao for tangled spindle secrets

dusk ba8ae055 20aaab0a

+250 -6
-3
hosts/wolumonde/modules/nginx.nix
··· 58 58 # "bsky.gaze.systems" 59 59 "dawn.gaze.systems" 60 60 "guestbook.gaze.systems" 61 - "webhook.gaze.systems" 62 61 "dash.gaze.systems" 63 62 "knot.gaze.systems" 64 63 "spindle.gaze.systems" 65 - "skeetdeck.gaze.systems" 66 - "likes.gaze.systems" 67 64 "id.gaze.systems" 68 65 "vpn.gaze.systems" 69 66 ];
+10 -1
hosts/wolumonde/modules/openbao.nix hosts/wolumonde/modules/openbao.nix/default.nix
··· 1 - {config, ...}: let 1 + {lib, config, ...}: let 2 2 port = 5394; 3 3 domain = "bao.${config.services.headscale.settings.dns.base_domain}"; 4 4 cfg = config.services.openbao.settings; 5 5 apiAddress = "127.0.0.1:${toString port}"; 6 6 in { 7 + imports = [./spindle-proxy]; 8 + 7 9 services.openbao = { 8 10 enable = true; 9 11 settings = { ··· 12 14 listener.default = { 13 15 type = "tcp"; 14 16 address = apiAddress; 17 + tls_disable = true; 15 18 }; 16 19 17 20 cluster_addr = "http://127.0.0.1:8201"; ··· 20 23 storage.file.path = "/var/lib/openbao/data"; 21 24 }; 22 25 }; 26 + 27 + systemd.services.openbao.preStart = '' 28 + mkdir -p /var/lib/openbao 29 + rm -rf /var/lib/openbao/policies 30 + cp -r ${./policies} /var/lib/openbao/policies 31 + ''; 23 32 24 33 services.headscale.settings.dns.extra_records = [ 25 34 {
+19
hosts/wolumonde/modules/openbao.nix/policies/spindle.hcl
··· 1 + # Full access to spindle KV v2 data 2 + path "spindle/data/*" { 3 + capabilities = ["create", "read", "update", "delete"] 4 + } 5 + 6 + # Access to metadata for listing and management 7 + path "spindle/metadata/*" { 8 + capabilities = ["list", "read", "delete", "update"] 9 + } 10 + 11 + # Allow listing at root level 12 + path "spindle/" { 13 + capabilities = ["list"] 14 + } 15 + 16 + # Required for connection testing and health checks 17 + path "auth/token/lookup-self" { 18 + capabilities = ["read"] 19 + }
+21
hosts/wolumonde/modules/openbao.nix/spindle-proxy/README.md
··· 1 + see https://tangled.sh/@tangled.sh/core/blob/master/docs/spindle/openbao.md 2 + 3 + set BAO_ADDRESS: `$env.BAO_ADDRESS = "http://bao.lan.gaze.systems"` 4 + set BAO_TOKEN: `$env.BAO_TOKEN = "<root key>"` 5 + 6 + create mount: `bao secrets enable -path=spindle -version=2 kv` 7 + 8 + setup policy: ` 9 + bao policy write spindle /var/lib/openbao/policies/spindle.hcl 10 + bao auth enable approle 11 + bao write auth/approle/role/spindle \ 12 + token_policies="spindle" \ 13 + token_ttl=1h \ 14 + token_max_ttl=4h \ 15 + bind_secret_id=true \ 16 + secret_id_ttl=0 \ 17 + secret_id_num_uses=0 18 + ` 19 + 20 + get role-id: `bao read -field=role_id auth/approle/role/spindle/role-id` 21 + get secret-id: `bao write -f auth/approle/role/spindle/secret-id`
+63
hosts/wolumonde/modules/openbao.nix/spindle-proxy/config.hcl
··· 1 + vault { 2 + address = "%vault_address%" 3 + 4 + # Retry configuration 5 + retry { 6 + num_retries = 5 7 + } 8 + } 9 + 10 + # Auto-Auth using AppRole 11 + auto_auth { 12 + method "approle" { 13 + mount_path = "auth/approle" 14 + config = { 15 + role_id_file_path = "%role_id%" 16 + secret_id_file_path = "%secret_id%" 17 + remove_secret_id_file_after_reading = false 18 + } 19 + } 20 + 21 + # Write authenticated token to file 22 + sink "file" { 23 + config = { 24 + path = "/var/lib/%name%/token" 25 + mode = 0640 26 + } 27 + } 28 + } 29 + 30 + # API Proxy listener for Spindle 31 + listener "tcp" { 32 + address = "127.0.0.1:%listener_port%" 33 + tls_disable = true 34 + 35 + # Security headers 36 + require_request_header = false 37 + 38 + # Enable proxy API for management 39 + proxy_api { 40 + enable_quit = true 41 + } 42 + } 43 + 44 + # Enable API proxy with auto-auth token 45 + api_proxy { 46 + use_auto_auth_token = true 47 + } 48 + 49 + cache { 50 + } 51 + 52 + # Logging configuration 53 + log_level = "info" 54 + log_format = "standard" 55 + log_file = "/var/lib/%name%/proxy.log" 56 + log_rotate_duration = "24h" 57 + log_rotate_max_files = 30 58 + 59 + # Process management 60 + pid_file = "/var/lib/%name%/proxy.pid" 61 + 62 + # Disable idle connections for reliability 63 + disable_idle_connections = ["auto-auth", "proxying"]
+93
hosts/wolumonde/modules/openbao.nix/spindle-proxy/default.nix
··· 1 + { config, lib, pkgs, ... }: 2 + let 3 + port = 8945; 4 + secrets = config.age.secrets; 5 + cfgFile = pkgs.writeText "openbao-proxy-spindle-config.hcl" ( 6 + lib.replaceStrings 7 + [ 8 + "%role_id%" 9 + "%secret_id%" 10 + "%vault_address%" 11 + "%listener_port%" 12 + "%name%" 13 + ] 14 + [ 15 + secrets.spindleOpenbaoRoleId.path 16 + secrets.spindleOpenbaoSecretId.path 17 + config.services.openbao.settings.api_addr 18 + (toString port) 19 + name 20 + ] 21 + (lib.fileContents ./config.hcl) 22 + ); 23 + domain = "spindle.bao.lan.gaze.systems"; 24 + name = "openbao-proxy-spindle"; 25 + in 26 + { 27 + age.secrets.spindleOpenbaoRoleId = { 28 + file = ../../../../../secrets/spindleOpenbaoRoleId.age; 29 + mode = "600"; 30 + owner = name; 31 + group = name; 32 + }; 33 + age.secrets.spindleOpenbaoSecretId = { 34 + file = ../../../../../secrets/spindleOpenbaoSecretId.age; 35 + mode = "600"; 36 + owner = name; 37 + group = name; 38 + }; 39 + 40 + users.users.${name} = { 41 + isSystemUser = true; 42 + group = name; 43 + }; 44 + users.groups.${name} = { 45 + members = [name]; 46 + }; 47 + 48 + systemd.services.${name} = { 49 + description = "OpenBao Proxy with Auto-Auth for tangled spindle"; 50 + after = [ "openbao.service" ]; 51 + before = [ "spindle.service" ]; 52 + requires = [ "openbao.service" ]; 53 + wantedBy = [ "multi-user.target" ]; 54 + serviceConfig = { 55 + ExecStart = "${pkgs.openbao}/bin/bao proxy -config=${cfgFile}"; 56 + Restart = "on-failure"; 57 + RestartSec = "5"; 58 + LimitNOFILE = "65536"; 59 + User = name; 60 + Group = name; 61 + RuntimeDirectory=name; 62 + RuntimeDirectoryMode=0700; 63 + StateDirectory=name; 64 + StateDirectoryMode=0700; 65 + ProcSubset="pid"; 66 + ProtectClock=true; 67 + ProtectControlGroups=true; 68 + ProtectHome=true; 69 + ProtectHostname=true; 70 + ProtectKernelLogs=true; 71 + ProtectKernelModules=true; 72 + ProtectKernelTunables=true; 73 + ProtectProc="invisible"; 74 + RestrictNamespaces=true; 75 + RestrictRealtime=true; 76 + RestrictAddressFamilies=["AF_INET" "AF_INET6" "AF_UNIX"]; 77 + SystemCallArchitectures="native"; 78 + SystemCallFilter=["@system-service" "@resources" "~@privileged"]; 79 + }; 80 + }; 81 + 82 + services.headscale.settings.dns.extra_records = [ 83 + { 84 + name = domain; 85 + type = "A"; 86 + value = "100.64.0.2"; 87 + } 88 + ]; 89 + services.nginx.virtualHosts.${domain} = { 90 + quic = true; 91 + locations."/".proxyPass = "http://127.0.0.1:${toString port}"; 92 + }; 93 + }
+2 -2
hosts/wolumonde/modules/tangled.nix
··· 49 49 owner = "did:plc:dfl62fgb7wtjj3fcbb72naae"; 50 50 secrets = { 51 51 provider = "openbao"; 52 - openbao.proxyAddr = "http://bao.lan.gaze.systems"; 52 + openbao.proxyAddr = "http://spindle.bao.lan.gaze.systems"; 53 53 }; 54 54 }; 55 55 }; ··· 60 60 users.groups.spindle = { }; 61 61 users.groups.podman.members = [ "spindle" ]; 62 62 systemd.services.spindle = { 63 - after = lib.mkForce [ "network.target" ]; 63 + after = lib.mkForce [ "network.target" "openbao-proxy-spindle.service" ]; 64 64 serviceConfig = { 65 65 User = "spindle"; 66 66 Group = "spindle";
+8
secrets/secrets.nix
··· 70 70 yusdacra 71 71 develMobi 72 72 ]; 73 + "spindleOpenbaoRoleId.age".publicKeys = [ 74 + yusdacra 75 + wolumonde 76 + ]; 77 + "spindleOpenbaoSecretId.age".publicKeys = [ 78 + yusdacra 79 + wolumonde 80 + ]; 73 81 }
+17
secrets/spindleOpenbaoRoleId.age
··· 1 + age-encryption.org/v1 2 + -> ssh-rsa Abmvag 3 + i1WEFfFEf7rvpH8pfM4+Z7mBSJwzAa/xNP5YMp0aVk9AMpFoT/39mwzr0LMtnruk 4 + u8Dz3ILegSyc69L9Ge1rNX6L5mN0qUyjsN1h/cMCh9Cgw4DxYkRB9NYI3xNUQFau 5 + xHVbgJ8DBDwZ3XnM0JYf9c23Kk1oft+PV07JKtyBN6r8JGCpu7N5Ccb/oj4epnS0 6 + 0DgoEDLT9DgiZXVo+Q6w++gfSq58ClYaguoHaDCTBdRKHans9BWIqJ7pAOu9hXcl 7 + vyuw/jz0bwKKh474xiCHArw4xN+ji7aFTRG3FkeK52giWoK95+P4z5ieaHJKz2jk 8 + I4HiGjgpfDGJzsgz5yEJFhntlnOWVHChvyZ1QSEKe2OIGAQmfGSbDRBYPS2wrfeL 9 + v8JueFHCG4ABh53+guzmjTMZTRjh8O5d2YEcrrWhGgwssHxUTzNE4KUCVkNV4/OS 10 + 6+hvmU1NC8rYBNMRiZtYiu6osmtWndYYFCsJpURfyFoDzCWmvjl6pxNFTtTTukMm 11 + WBgKxC2K4EwQ27k6IExm2epDH5kwdJrPGe8yZIl3zK9Y1Sa+Q3LYp8D5QWUv2uts 12 + lQXTVvJVrg9wn1AfxCnGBApCPIvEiw8PwU/adfa+UMKN/kGMvE6iL0+J2aGTxO4l 13 + zmyLUErh9f8iBIF/90DIqf9FrjBWcbtv3zphmgHZkII 14 + -> ssh-ed25519 KjIL7g GZl/qIbkVajzJn0ZsI0ImzIyGdjm1tMFbEh4LnOALAA 15 + WXYCRfsfYU+nI67+4d6PX/iER2aA7Flt6xWPlvYELDg 16 + --- Y8pLVkJQfP5piXtWJ3AegPsLLj3NDWXpmt3aoiwicgo 17 + E�RR�y��������@����X���t�$ǻ��s���Ǟ���~��|�r�F�~�n��NG
+17
secrets/spindleOpenbaoSecretId.age
··· 1 + age-encryption.org/v1 2 + -> ssh-rsa Abmvag 3 + G3DtXBNVhNcRiXlpQ7iJ8kZrsu59WF62pnLheEGKj2JGg6m+LLOqLChQg1YOSjB1 4 + zIy3QwpfXB4Rn081lXEXKvs6Jr1FbAkhggeLLtflPEAouxPiJ1HkxtyCNv02L+Pj 5 + uBvi32fMnTw3Kep6LTNBqkAhsvFNf02zsNxm+KfFpwn+kWvUtGdsHeAsWIXO/4lL 6 + FjbPI860FvbfrAp0r7Hv79MRLYTUhki7gX+VZooEngobCImTiq9NR++MpdsMmovC 7 + hst6CESEuTdqhw2SrTteGU10E+5q1jd1z0T+ttHe0GqKmQwuQB4S1KtSx74xiQhV 8 + gg8ZyVAVdSt49s9YLRMdJjFWHXNPC3GKQzlXWZ4xLrpeBc3YrQhp3+7iRhRB92gX 9 + GhWdw/UN9fKPbILi2W+3bSEByGzJ2iBo0BMxK0I7541ZgpQHOOvySLHzElnpRdwD 10 + I3+GuDif1cHusLBVruwUubfr11UwzOLkUgzP504Sf55liMSjnq5DxzkaUERzTg/T 11 + SNmC9misXkxUpwWSYKjSEe5p3x8CsJwmVkrXh+N9GFiYD+Al/9aWPrmw+Kl4CMe6 12 + MJlxCpfVKTdx3ePA7d7POx1RQuBf78nTg5XCyBf2BB2lycKkg05hX+1VzTCYMChZ 13 + zLh1RiSWtRxgIbljwWanPW0AmZaDkRTxdilbFg2sa7U 14 + -> ssh-ed25519 KjIL7g C+NvzMVX+2NdIXoYGPv1yeGRaHnSEQQuG7MS3e5SKlE 15 + L5TFRde0T/sn8teeFuBy3c8fydmiI07NT+pFnIIyYwE 16 + --- fcPjYFQG6lbT2cGzt/oZhO5PahAoiN4yUT12xa4Kc8s 17 + �ZZ�/h��������p�]�AR!�O��`�2��K<���Eo��R����VN �����G�p��0u