Fix some notes

README.md

@@ -41,3 +41,7 @@ To transfer the secrets needed for OpenTofu from Bitwarden to OpenBAO/Vault run:
 ```bash
 nix run '.#bitwarden-to-vault'
 ```
+
+## Immediate TODO list:
+
+1. Make the hetzner-static-ip.service not fail when the IP is already assigned.

nix/systems/aarch64-linux/security.kaareskovgaard.net/README.md

@@ -1,3 +1,7 @@
+# Before beginning
+
+Enable bootstrapping of the instance, by setting `config.khscodes."security.kaareskovgaard.net".bootstrap.enable = true` in `default.nix`.
+
 # After creating the instance
 
 Open https://secrets.kaareskovgaard.net and initialize OpenBAO. Remember to get some sort of auto unsealing set up afterwards, currently this is implemented with a cronjob on TrueNAS. Doing it this way allows various certificates to continue getting issued, even as OpenBAO gets sealed (due to auto updates).
@@ -5,7 +9,7 @@ Open https://secrets.kaareskovgaard.net and initialize OpenBAO. Remember to get
 After this, configure the OpenBAO instance with:
 
 ```bash
-nix run '.#configure-instance` -- security.kaareskovgaard.net
+nix run '.#configure-instance' -- security.kaareskovgaard.net
 ```
 
 In order for `security.kaareskovgaard.net` to authenticate itself with OpenBAO, the printed credentials needs to be passed to the server with (on the server):
@@ -22,4 +26,18 @@ kanidm-reset-password <user>
 
 Open https://login.kaareskovgaard.net - and log into the account, setting up the Yubikey (Passkey) auth, as well as Bitwarden based TOTP/password auth.
 
+## Disable bootstrapping
+
+Now remove the previously enabled bootstrapping. Then update the instance
+
+```bash
+nix run '.#update-instance' -- security.kaareskovgaard.net
+```
+
+And reconfigure it:
+
+```bash
+nix run '.#configure-instance' -- security-kaareskovgaard.net
+```
+
 Then `nix run '.#bitwarden-to-vault` can transfer the needed Bitwarden secrets to vault, enabling other instances to not rely on Bitwarden.

nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix

@@ -1,15 +1,22 @@
 {
   inputs,
+  lib,
   pkgs,
   ...
 }:
 {
+  options.khscodes."security.kaareskovgaard.net" = {
+    bootstrap = {
+      enable = lib.mkEnableOption "Enables bootstrapping mode for security.kaareskovgaard.net. This should be set when first setting up the server. See the README";
+    };
+  };
   imports = [
     "${inputs.self}/nix/profiles/nixos/hetzner-server.nix"
     ./kanidm.nix
     ./openbao.nix
     ./post
   ];
+  config = {
     environment.systemPackages = [ pkgs.khscodes.bao-import-secret ];
     khscodes.services.nginx.enable = true;
     khscodes.infrastructure.hetzner-instance = {
@@ -29,4 +36,5 @@
     };
     khscodes.infrastructure.openbao.domain = "secrets.kaareskovgaard.net";
     system.stateVersion = "25.05";
+  };
 }

nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix

@@ -1,6 +1,12 @@
-{ config, pkgs, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 let
   domain = "login.kaareskovgaard.net";
+  bootstrapping = config.khscodes."security.kaareskovgaard.net".bootstrap.enable;
   openbaoAppBasicSecretFile = "/var/lib/vault-agent/kanidm/openbao_basic_secret";
   openbaoDomain = config.khscodes.infrastructure.openbao.domain;
   openbaoAllowedRedirectUrls = [
@@ -63,7 +69,9 @@ in
         present = true;
         members = [ "khs" ];
       };
-      systems.oauth2.openbao = {
+      # We cannot add oauth2 apps before the secrets for them are generated.
+      systems.oauth2 = lib.mkIf (!bootstrapping) {
+        openbao = {
           present = true;
           public = false;
           preferShortUsername = true;
@@ -91,7 +99,9 @@ in
         };
       };
     };
-  systemd.services.kanidm = {
+  };
+  # Don't add dependencies from bootstrapping when not bootstrapping.
+  systemd.services.kanidm = lib.mkIf (!bootstrapping) {
     unitConfig = {
       ConditionPathExists = [
         openbaoAppBasicSecretFile
@@ -142,7 +152,13 @@ in
         };
       }
     )
-    # Sets up OIDC authentication within OpenBAO
+    # Sets up OIDC authentication within OpenBAO.
+    # OpenBAO queries the openid url for its configuration when adding it, so it is not possible,
+    # to add this before
+    (
+      if bootstrapping then
+        { }
+      else
         {
           resource.vault_jwt_auth_backend.oidc = {
             description = "Kanidm auth backend";
@@ -278,8 +294,8 @@ in
               }
             '';
           };
-
         }
+    )
   ];
 
   khscodes.services.vault-agent.templates = [