nix/machines
1
0
Fork 0
Code Issues Releases Packages Activity Actions
machines/nix/systems/aarch64-linux/security.kaareskovgaard.net/openbao.nix
Kaare Hoff Skovgaard f8a0434e2b
Some checks failed
/ check (push) Failing after 49s
Details
/ dev-shell (push) Successful in 26s
Details
/ rust-packages (push) Successful in 32s
Details
/ systems (push) Failing after 19s
Details
/ terraform-providers (push) Successful in 29s
Details
Fix some minor issues
2025-07-14 23:41:25 +02:00

51 lines
1.3 KiB
Nix
Raw Blame History

{ pkgs, config, ... }:
let
domain = config.infrastructure.openbao.domain;
in
{
config = {
services.openbao = {
enable = true;
package = pkgs.openbao;
settings = {
ui = true;
listener.tcp = {
type = "tcp";
tls_cert_file = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
tls_key_file = "${config.security.acme.certs.${domain}.directory}/key.pem";
};
api_addr = "https://${domain}";
storage.postgresql.connection_url = "postgres://openbao?host=/run/postgresql";
};
};
security.acme.certs.${domain}.reloadServices = [ "openbao.service" ];
systemd.services.openbao.after = [ "postgresql.service" ];
# Allow openbao to read the certificate file
users.groups.nginx.members = [ "openbao" ];
services.postgresql = {
enable = true;
ensureDatabases = [ "openbao" ];
ensureUsers = [
{
name = "openbao";
ensureDBOwnership = true;
}
];
};
services.postgresqlBackup = {
enable = true;
databases = [ "openbao" ];
};
khscodes.services.nginx.virtualHosts.${domain} = {
locations."/" = {
proxyPass = "https://${config.services.openbao.settings.listener.tcp.address}/";
recommendedProxySettings = true;
};
};
};
}
Reference in a new issue View git blame Copy permalink