Harden blowhole agains sealed Vault

Signed-off-by: Magic_RB <magic_rb@redalder.org>

nixos/systems/blowhole/consul.nix

@@ -26,8 +26,9 @@ in
     };
   };
 
-  systemd.services.hashicorp-consul.unitConfig = {
+  systemd.services."hashicorp-consul" = {
-    ConditionPathExists = "/run/secrets/consul.json";
+    requires = [ "vault-unsealed.service" ];
+    after = [ "vault-unsealed.service" ];
   };
 
   services.hashicorp.consul = {

nixos/systems/blowhole/default.nix

@@ -63,6 +63,30 @@ in
             ];
           };
 
+          systemd.services.vault-unsealed = {
+            description = "Check whether the local Vault instance is unsealed and fail if not.";
+            path = with pkgs; [ getent vault ];
+
+            unitConfig = {
+              StartLimitInterval = 0;
+            };
+
+            serviceConfig = {
+              Restart = "always";
+              RestartSec = 30;
+            };
+
+            script = ''
+              export VAULT_ADDR="https://vault.in.redalder.org:8200/"
+
+              while [ $( vault operator key-status |& grep -q "Vault is sealed" ; printf $? ) = 1 ]
+              do
+                sleep 30
+              done
+              exit 2
+            '';
+          };
+
           system.stateVersion = "21.05";
         });
   };

nixos/systems/blowhole/hostapd.nix

@@ -31,8 +31,9 @@ in
     destination = "/run/secrets/hostapd_wpa_psk";
   };
 
-  systemd.services.hostapd.unitConfig = {
+  systemd.services."hostapd" = {
-    ConditionPathExists = "/run/secrets/hostapd_wpa_psk";
+    requires = [ "vault-unsealed.service" ];
+    after = [ "vault-unsealed.service" ];
   };
 
   services.hostapd = {

nixos/systems/blowhole/klipper.nix

@@ -45,6 +45,9 @@ in
 
   systemd.services."container@klipper" = {
     restartIfChanged = lib.mkForce false;
+
+    requires = [ "vault-unsealed.service" ];
+    after = [ "vault-unsealed.service" ];
   };
 
   containers.klipper = {

nixos/systems/blowhole/monitoring.nix

@@ -205,6 +205,11 @@ in
     };
 
 
+  systemd.services."hashicorp-envoy-telegraf" = {
+    requires = [ "vault-unsealed.service" ];
+    after = [ "vault-unsealed.service" ];
+  };
+
   ## There is no way to say, hey, listen on localhost. The listeners option is missing the `address` field
   ## and the `name` field so it's impossible to configure....
   services.hashicorp-envoy.telegraf = {
@@ -235,6 +240,11 @@ in
     extraConsulArgs = [ "-ignore-envoy-compatibility" ];
   };
 
+  systemd.services."telegraf-magic" = {
+    requires = [ "vault-unsealed.service" ];
+    after = [ "vault-unsealed.service" ];
+  };
+
   services.telegraf-magic = {
     enable = true;
     settings = {
@@ -324,7 +334,12 @@ in
     fsType = "zfs";
   };
 
-  systemd.services."container@monitor".serviceConfig.LimitNOFILE = "infinity";
+  systemd.services."container@monitor" = {
+    requires = [ "vault-unsealed.service" ];
+    after = [ "vault-unsealed.service" ];
+
+    serviceConfig.LimitNOFILE = "infinity";
+  };
 
   # TODO: split interface name and container name, i.e. rewrite the container module....... again
   containers.monitor = {

nixos/systems/blowhole/nomad.nix

@@ -28,6 +28,11 @@ in
     };
   };
 
+  systemd.services."hashicorp-nomad" = {
+    requires = [ "vault-unsealed.service" ];
+    after = [ "vault-unsealed.service" ];
+  };
+
   services.hashicorp.nomad = {
     enable = true;
 

nixos/systems/blowhole/vault-agent.nix

@@ -17,6 +17,9 @@ in
       {
         preStart = "systemd-tmpfiles --create " + config;
         postStop = "systemd-tmpfiles --clean " + config;
+
+        requires = [ "vault-unsealed.service" ];
+        after = [ "vault-unsealed.service" ];
       };
 
   services.hashicorp.vault-agent = {