| .. | ||
| post | ||
| default.nix | ||
| kanidm.nix | ||
| openbao.nix | ||
| README.md | ||
Before beginning
Enable bootstrapping of the instance, by setting config.khscodes."security.kaareskovgaard.net".bootstrap.enable = true in default.nix.
After creating the instance
Open https://secrets.kaareskovgaard.net and initialize OpenBAO. Remember to get some sort of auto unsealing set up afterwards, currently this is implemented with a cronjob on TrueNAS. Doing it this way allows various certificates to continue getting issued, even as OpenBAO gets sealed (due to auto updates).
After this, configure the OpenBAO instance with:
nix run '.#configure-instance' -- security.kaareskovgaard.net
In order for security.kaareskovgaard.net to authenticate itself with OpenBAO, the printed credentials needs to be passed to the server with (on the server):
sudo bao-import-secret <role-id> <wrapped-secret-id>
While still SSH'ed into the server, reset the user (khs) password for kanidm:
kanidm-reset-password <user>
Open https://login.kaareskovgaard.net - and log into the account, setting up the Yubikey (Passkey) auth, as well as Bitwarden based TOTP/password auth.
Disable bootstrapping
Now remove the previously enabled bootstrapping. Then update the instance
nix run '.#update-instance' -- security.kaareskovgaard.net
And reconfigure it:
nix run '.#configure-instance' -- security-kaareskovgaard.net
Then nix run '.#bitwarden-to-vault can transfer the needed Bitwarden secrets to vault, enabling other instances to not rely on Bitwarden.