diff --git a/ansible/roles/xroad-base/tasks/rhel.yml b/ansible/roles/xroad-base/tasks/rhel.yml index 9a94ba51b9..867d399525 100644 --- a/ansible/roles/xroad-base/tasks/rhel.yml +++ b/ansible/roles/xroad-base/tasks/rhel.yml @@ -33,6 +33,25 @@ state: present enabled: yes +- name: X-Road dependencies repo key + rpm_key: + state: present + key: "{{ rhel_deps_repo_gpgkey }}" + when: rhel_deps_repo_gpgkey is defined + +- name: Setup repository for X-Road dependencies (RHEL) + yum_repository: + name: "x-road-dependencies" + file: "x-road-dependencies" + description: "X-Road dependencies repository for RHEL" + baseurl: "{{ rhel_deps_repo_baseurl }}" + gpgcheck: "{{ rhel_deps_repo_gpgcheck | default('no') }}" + gpgkey: "{{ rhel_deps_repo_gpgkey | default('') }}" + repo_gpgcheck: "{{ rhel_deps_repo_gpgcheck | default('no') }}" + metadata_expire: "{{ rhel_deps_repo_metadaexpire | default('86400') }}" + state: present + enabled: yes + - name: Touch repo file file: path: "/etc/yum.repos.d/xroad.repo" diff --git a/ansible/vars_files/local_repo.yml b/ansible/vars_files/local_repo.yml index 44196798fa..9d1b934d85 100644 --- a/ansible/vars_files/local_repo.yml +++ b/ansible/vars_files/local_repo.yml @@ -20,3 +20,8 @@ rhel_repo_gpgkey: "" rhel_repo_repogpgcheck: "no" rhel_repo_metadataexpire: 60 +rhel_deps_repo_baseurl: "https://artifactory.niis.org/artifactory/xroad-dependencies-rpm" +rhel_deps_repo_gpgcheck: "yes" +rhel_deps_repo_gpgkey: "{{xroad_repo_key}}" +rhel_deps_repo_repogpgcheck: "yes" +rhel_deps_repo_metadataexpire: "21600" diff --git a/ansible/vars_files/remote_repo.yml b/ansible/vars_files/remote_repo.yml index 35b7cee627..04850a3c57 100644 --- a/ansible/vars_files/remote_repo.yml +++ b/ansible/vars_files/remote_repo.yml @@ -22,3 +22,9 @@ rhel_repo_gpgcheck: "yes" rhel_repo_gpgkey: "{{xroad_repo_key}}" rhel_repo_repogpgcheck: "yes" rhel_repo_metadataexpire: "21600" + +rhel_deps_repo_baseurl: "https://artifactory.niis.org/artifactory/xroad-dependencies-rpm" +rhel_deps_repo_gpgcheck: "yes" +rhel_deps_repo_gpgkey: "{{xroad_repo_key}}" +rhel_deps_repo_repogpgcheck: "yes" +rhel_deps_repo_metadataexpire: "21600" diff --git a/src/packages/src/xroad/common/xroad-secret-store-local/etc/openbao/openbao.hcl b/src/packages/src/xroad/common/xroad-secret-store-local/etc/openbao/openbao.hcl deleted file mode 100644 index 8a3ea05264..0000000000 --- a/src/packages/src/xroad/common/xroad-secret-store-local/etc/openbao/openbao.hcl +++ /dev/null @@ -1,15 +0,0 @@ -ui = false -cluster_addr = "https://127.0.0.1:8201" -api_addr = "https://127.0.0.1:8200" - -storage "raft" { - path = "/opt/openbao/data" - node_id = "node1" -} - -listener "tcp" { - address = "127.0.0.1:8200" - tls_cert_file = "/opt/openbao/tls/tls.crt" - tls_key_file = "/opt/openbao/tls/tls.key" -} - diff --git a/src/packages/src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-generate-tls-certificate.sh b/src/packages/src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-generate-tls-certificate.sh new file mode 100755 index 0000000000..84a632e4c8 --- /dev/null +++ b/src/packages/src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-generate-tls-certificate.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +set -e + +echo "Generating OpenBao TLS certificates for X-Road..." +# Generate in temporary location first +TEMP_DIR=$(mktemp -d) +cd "$TEMP_DIR" + +# Generate certificates with proper permissions +if ! openssl req \ + -out tls.crt \ + -new \ + -keyout tls.key \ + -newkey rsa:4096 \ + -nodes \ + -sha256 \ + -x509 \ + -subj "/O=OpenBao/CN=OpenBao" \ + -days 7300 \ + -addext "subjectAltName = IP:127.0.0.1" \ + -addext "keyUsage = digitalSignature,keyEncipherment" \ + -addext "extendedKeyUsage = serverAuth"; then + echo "Failed to generate certificates" + exit 1 +fi + +# Set proper permissions and ownership +chmod 640 tls.key tls.crt +chown openbao:openbao tls.key tls.crt + +# Move files to final location +mv -f tls.key tls.crt /opt/openbao/tls/ + +# Cleanup temp directory +rm -rf "$TEMP_DIR" diff --git a/src/packages/src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-init.sh b/src/packages/src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-init.sh new file mode 100755 index 0000000000..75e3d7b2ef --- /dev/null +++ b/src/packages/src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-init.sh @@ -0,0 +1,106 @@ +#!/bin/bash + +STATUS=$(bao status -format=json) # exits with non-zero status if not initialized or sealed + +set -e + +INITIALIZED=$(jq -r '.initialized' <<< $STATUS) +SEALED=$(jq -r '.sealed' <<< $STATUS) +KEYS_FILE="/etc/openbao/secret-store-keys.json" + +if [ "$INITIALIZED" = "true" ]; then + echo "OpenBao already initialized" +else + echo "Initializing OpenBao..." + bao operator init -key-shares=3 -key-threshold=2 -format=json > $KEYS_FILE + chmod 600 $KEYS_FILE +fi + + +if [ ! -f "$KEYS_FILE" ]; then + echo "Keys file not found" + exit 1 +fi + + +if [ "$SEALED" = "false" ]; then + echo "OpenBao already unsealed" +else + echo "Unsealing OpenBao..." + # Read first two keys for unsealing + KEY1=$(jq -r '.unseal_keys_b64[0]' "$KEYS_FILE") + KEY2=$(jq -r '.unseal_keys_b64[1]' "$KEYS_FILE") + + # Unseal with two keys + bao operator unseal "$KEY1" + bao operator unseal "$KEY2" +fi + + +export BAO_TOKEN=$(cat $KEYS_FILE | jq -r '.root_token') + +XRD_PKI_CONFIGURED=$(bao secrets list -format=json | jq 'has("xrd-pki/")') +if [ "$XRD_PKI_CONFIGURED" = "true" ]; then + echo "X-Road secrets engine already initialized" +else + echo "Initializing X-Road secrets engine ..." + + # Enable secrets engines + bao secrets enable -path=xrd-pki pki || exit 1 + bao secrets enable -path=xrd-secret kv || exit 1 + bao secrets enable -path=xrd-ds-secret -version=2 kv || exit 1 + + # Configure PKI + bao secrets tune -max-lease-ttl=87600h xrd-pki || exit 1 + bao write xrd-pki/root/generate/internal common_name="localhost" ttl=8760h || exit 1 + bao write xrd-pki/config/urls \ + issuing_certificates="https://127.0.0.1:8200/v1/xrd-pki/ca" \ + crl_distribution_points="https://127.0.0.1:8200/v1/xrd-pki/crl" || exit 1 + + # Configure PKI tidy settings + bao write xrd-pki/config/auto-tidy \ + tidy_cert_store=true \ + tidy_revoked_certs=true \ + safety_buffer="72h" \ + interval_duration="24h" || exit 1 + + # Configure roles + bao write xrd-pki/roles/xrd-rpc-internal \ + allow_any_name=true \ + allow_subdomains=true \ + allow_localhost=true \ + allow_ip_sans=true \ + max_ttl="300h" || exit 1 + + # Create policy for PKI and secret access + bao policy write xroad-policy - < $CLIENT_TOKEN_FILE + chmod 640 $CLIENT_TOKEN_FILE + chown xroad:xroad $CLIENT_TOKEN_FILE +fi + +unset BAO_TOKEN diff --git a/src/packages/src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-setup.sh b/src/packages/src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-setup.sh deleted file mode 100755 index dfacbadbe8..0000000000 --- a/src/packages/src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-setup.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/bash - -echo "Applying OpenBao configuration.." -export BAO_ADDR=https://127.0.0.1:8200 -export BAO_TOKEN="$(cat /etc/xroad/secret-store-root-token)" - -# Enable secrets engines -bao secrets enable -path=xrd-pki pki || exit 1 -bao secrets enable -path=xrd-secret kv || exit 1 -bao secrets enable -path=xrd-ds-secret -version=2 kv || exit 1 - -# Configure PKI -bao secrets tune -max-lease-ttl=87600h xrd-pki || exit 1 -bao write xrd-pki/root/generate/internal common_name="localhost" ttl=8760h || exit 1 -bao write xrd-pki/config/urls \ - issuing_certificates="$BAO_ADDR/v1/xrd-pki/ca" \ - crl_distribution_points="$BAO_ADDR/v1/xrd-pki/crl" || exit 1 - -# Configure PKI tidy settings -bao write xrd-pki/config/auto-tidy \ - tidy_cert_store=true \ - tidy_revoked_certs=true \ - safety_buffer="72h" \ - interval_duration="24h" || exit 1 - -# Configure roles -bao write xrd-pki/roles/xrd-rpc-internal \ - allow_any_name=true \ - allow_subdomains=true \ - allow_localhost=true \ - allow_ip_sans=true \ - max_ttl="300h" || exit 1 - -# Create policy for PKI and secret access -bao policy write xroad-policy - < /etc/xroad/secret-store-client-token -chmod 640 /etc/xroad/secret-store-client-token -chown xroad:xroad /etc/xroad/secret-store-client-token -unset BAO_TOKEN BAO_ADDR diff --git a/src/packages/src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-unseal.sh b/src/packages/src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-unseal.sh deleted file mode 100755 index 5f225d3b79..0000000000 --- a/src/packages/src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-unseal.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash - -KEYS_FILE="/etc/xroad/secret-store-unseal-keys.json" - -if [ ! -f "$KEYS_FILE" ]; then - echo "No unseal keys found" - exit 1 -fi - -# Read first two keys for unsealing -KEY1=$(jq -r '.[0]' "$KEYS_FILE") -KEY2=$(jq -r '.[1]' "$KEYS_FILE") - -# Unseal with two keys -BAO_ADDR="$BAO_HOST" bao operator unseal "$KEY1" -BAO_ADDR="$BAO_HOST" bao operator unseal "$KEY2" diff --git a/src/packages/src/xroad/redhat/SOURCES/secret-store-local/xroad-secret-store-local.service b/src/packages/src/xroad/redhat/SOURCES/secret-store-local/xroad-secret-store-local.service new file mode 100644 index 0000000000..3cc7389fca --- /dev/null +++ b/src/packages/src/xroad/redhat/SOURCES/secret-store-local/xroad-secret-store-local.service @@ -0,0 +1,13 @@ +[Unit] +Description=X-Road OpenBao Auto Init Service +After=network.target openbao.service +Requires=openbao.service +BindsTo=openbao.service + +[Service] +Type=oneshot +ExecStart=/usr/share/xroad/scripts/secret-store-init.sh +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/src/packages/src/xroad/redhat/SPECS/xroad-proxy.spec b/src/packages/src/xroad/redhat/SPECS/xroad-proxy.spec index 9af77bef38..2a5bb96fa6 100644 --- a/src/packages/src/xroad/redhat/SPECS/xroad-proxy.spec +++ b/src/packages/src/xroad/redhat/SPECS/xroad-proxy.spec @@ -19,6 +19,7 @@ Requires(postun): systemd Requires: net-tools, tar Requires: xroad-base = %version-%release, xroad-confclient = %version-%release, xroad-signer = %version-%release, rsyslog Requires: xroad-database >= %version-%release, xroad-database <= %version-%{release}.1 +Requires: (xroad-secret-store-local = %version-%release or xroad-secret-store-remote = %version-%release) %define src %{_topdir}/.. diff --git a/src/packages/src/xroad/redhat/SPECS/xroad-secret-store-local.spec b/src/packages/src/xroad/redhat/SPECS/xroad-secret-store-local.spec new file mode 100644 index 0000000000..9629ebb3cb --- /dev/null +++ b/src/packages/src/xroad/redhat/SPECS/xroad-secret-store-local.spec @@ -0,0 +1,78 @@ +%include %{_specdir}/common.inc +# produce .elX dist tag on both centos and redhat +%define dist %(/usr/lib/rpm/redhat/dist.sh) + +Name: xroad-secret-store-local +Version: %{xroad_version} +# release tag, e.g. 0.201508070816.el7 for snapshots and 1.el7 (for final releases) +Release: %{rel}%{?snapshot}%{?dist} +Summary: Meta-package for local secret store dependencies +Group: Applications/Internet +License: MIT +Requires: jq, bao >= 2.0.0 +Requires: xroad-base = %version-%release +Conflicts: xroad-secret-store-remote + +%description +Installs OpenBao locally and automatically provisions it to align with X-Road + +%clean +rm -rf %{buildroot} + +%prep + +%build + +%install +mkdir -p %{buildroot}%{_unitdir} +mkdir -p %{buildroot}/usr/share/xroad/scripts/ +mkdir -p %{buildroot}/etc/xroad/services/ + +cp -p %{_sourcedir}/secret-store-local/xroad-secret-store-local.service %{buildroot}%{_unitdir} +cp -p %{srcdir}/common/xroad-secret-store-local/etc/xroad/services/secret-store-local.conf %{buildroot}/etc/xroad/services/ +cp -p %{srcdir}/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-generate-tls-certificate.sh %{buildroot}/usr/share/xroad/scripts/ +cp -p %{srcdir}/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-init.sh %{buildroot}/usr/share/xroad/scripts/ + +%files +%defattr(0640,xroad,xroad,0751) +%attr(644,root,root) %{_unitdir}/xroad-secret-store-local.service +%config /etc/xroad/services/secret-store-local.conf +%attr(554,root,xroad) /usr/share/xroad/scripts/secret-store-generate-tls-certificate.sh +%attr(554,root,xroad) /usr/share/xroad/scripts/secret-store-init.sh + +%pre -p /bin/bash +%upgrade_check + + +%post +if [ $1 -eq 1 ]; then # $1 == 1 means fresh install, $1 == 2 means upgrade + /usr/share/xroad/scripts/secret-store-generate-tls-certificate.sh + # Install generated certificate to system + install -m 644 /opt/openbao/tls/tls.crt /etc/pki/ca-trust/source/anchors/openbao.crt + update-ca-trust + + # Enable and start service + if ! systemctl enable openbao.service; then + echo "Failed to enable OpenBao service" + exit 1 + fi + + if ! systemctl restart openbao.service; then + echo "Failed to restart OpenBao service" + exit 1 + fi + + echo "Waiting for OpenBao to be ready..." + for i in $(seq 1 30); do + if curl -sf "${BAO_ADDR}/v1/sys/health" >/dev/null 2>&1; then + break + fi + sleep 1 + done + + echo "Initializing OpenBao.." + systemctl enable xroad-secret-store-local.service + systemctl start xroad-secret-store-local.service +else + echo "Upgrade detected, skipping initialization" +fi diff --git a/src/packages/src/xroad/redhat/SPECS/xroad-secret-store-remote.spec b/src/packages/src/xroad/redhat/SPECS/xroad-secret-store-remote.spec new file mode 100644 index 0000000000..825971bdcb --- /dev/null +++ b/src/packages/src/xroad/redhat/SPECS/xroad-secret-store-remote.spec @@ -0,0 +1,31 @@ +%include %{_specdir}/common.inc +# produce .elX dist tag on both centos and redhat +%define dist %(/usr/lib/rpm/redhat/dist.sh) + +Name: xroad-secret-store-remote +Version: %{xroad_version} +# release tag, e.g. 0.201508070816.el7 for snapshots and 1.el7 (for final releases) +Release: %{rel}%{?snapshot}%{?dist} +Summary: Meta-package for remote secret store dependencies +Group: Applications/Internet +License: MIT +Requires: xroad-base = %version-%release +Conflicts: xroad-secret-store-local + +%description +Prevents local installation of OpenBao when it is hosted remotely + +%clean + +%prep + +%build + +%install + +%files + +%pre -p /bin/bash +%upgrade_check + +%post diff --git a/src/packages/src/xroad/ubuntu/generic/control b/src/packages/src/xroad/ubuntu/generic/control index 9e01b5513c..9c482e7c23 100644 --- a/src/packages/src/xroad/ubuntu/generic/control +++ b/src/packages/src/xroad/ubuntu/generic/control @@ -194,9 +194,8 @@ Description: X-Road Central Server Management Service Package: xroad-secret-store-local Architecture: amd64 arm64 Conflicts: xroad-secret-store-remote -Pre-Depends: jq, wget, gpg, bao (>= 2.0.0) +Pre-Depends: jq, gpg, bao (>= 2.0.0) Depends: xroad-base (=${binary:Version}) -Replaces: bao Description: Meta-package for X-Road local secret store dependencies Package: xroad-secret-store-remote diff --git a/src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.install b/src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.install index b8fdde6064..e9e1acf87e 100644 --- a/src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.install +++ b/src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.install @@ -1,4 +1,3 @@ -../../../../src/xroad/common/xroad-secret-store-local/etc/openbao/openbao.hcl etc/openbao -../../../../src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-unseal.sh usr/share/xroad/scripts -../../../../src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-setup.sh usr/share/xroad/scripts +../../../../src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-generate-tls-certificate.sh usr/share/xroad/scripts +../../../../src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-init.sh usr/share/xroad/scripts ../../../../src/xroad/common/xroad-secret-store-local/etc/xroad/services/secret-store-local.conf etc/xroad/services diff --git a/src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.postinst b/src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.postinst index 322cd03f98..078d7ba140 100644 --- a/src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.postinst +++ b/src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.postinst @@ -4,25 +4,25 @@ set -e if [ "$1" = "configure" ]; then - # Enable and start service with error handling - if ! deb-systemd-invoke enable openbao.service; then - echo "Failed to enable OpenBao service" - exit 1 - fi - - if ! deb-systemd-invoke start openbao.service; then - echo "Failed to start OpenBao service" - exit 1 - fi # Only perform initialization on fresh install if [ -z "$2" ]; then # $2 is empty for fresh installs - BAO_ADDR='https://127.0.0.1:8200' - TMP_INIT_FILE="/tmp/bao-init.json" - UNSEAL_KEYS_FILE="/etc/xroad/secret-store-unseal-keys.json" - ROOT_TOKEN_FILE="/etc/xroad/secret-store-root-token" + /usr/share/xroad/scripts/secret-store-generate-tls-certificate.sh + # Install generated certificate to system + install -m 644 /opt/openbao/tls/tls.crt /usr/local/share/ca-certificates/openbao.crt + update-ca-certificates + + # Enable and start service with error handling + if ! deb-systemd-invoke enable openbao.service; then + echo "Failed to enable OpenBao service" + exit 1 + fi + + if ! deb-systemd-invoke restart openbao.service; then + echo "Failed to start OpenBao service" + exit 1 + fi - # Wait for OpenBao to be ready echo "Waiting for OpenBao to be ready..." # shellcheck disable=SC2034 for i in $(seq 1 30); do @@ -33,21 +33,8 @@ if [ "$1" = "configure" ]; then done echo "Initializing OpenBao.." - if ! bao operator init -key-shares=3 -key-threshold=2 -format=json >${TMP_INIT_FILE}; then - echo "Failed to initialize OpenBao" - exit 1 - fi - - jq -r '.unseal_keys_b64' ${TMP_INIT_FILE} >${UNSEAL_KEYS_FILE} - jq -r '.root_token' ${TMP_INIT_FILE} >${ROOT_TOKEN_FILE} - - rm -f ${TMP_INIT_FILE} - - echo "Running unseal service.." deb-systemd-invoke enable xroad-secret-store-local.service deb-systemd-invoke start xroad-secret-store-local.service - - /usr/share/xroad/scripts/secret-store-setup.sh else echo "Upgrade detected, skipping initialization" fi diff --git a/src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.preinst b/src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.preinst deleted file mode 100644 index 22d460a574..0000000000 --- a/src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.preinst +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash - -set -e - -# Function to handle errors - only clean up on failure -cleanup() { - if [ $? -ne 0 ]; then - echo "Installation failed, cleaning up..." - if [ -d "/opt/openbao/tls" ]; then - rm -f /opt/openbao/tls/tls.{key,crt} 2>/dev/null || true - fi - rm -f /usr/local/share/ca-certificates/openbao.crt 2>/dev/null || true - fi -} - -trap cleanup EXIT - -if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then - # Handle config file - dpkg-divert --add --package xroad-secret-store-local --rename \ - --divert /etc/openbao/openbao.hcl.dpkg-old /etc/openbao/openbao.hcl - - # Ensure directory exists and has proper permissions - install -d -m 750 /opt/openbao/tls - chown openbao:openbao /opt/openbao/tls - - echo "Generating OpenBao TLS certificates..." - # Generate in temporary location first - TEMP_DIR=$(mktemp -d) - cd "$TEMP_DIR" || exit 1 - - # Generate certificates with proper permissions - if ! openssl req \ - -out tls.crt \ - -new \ - -keyout tls.key \ - -newkey rsa:4096 \ - -nodes \ - -sha256 \ - -x509 \ - -subj "/O=OpenBao/CN=OpenBao" \ - -days 7300 \ - -addext "subjectAltName = IP:127.0.0.1" \ - -addext "keyUsage = digitalSignature,keyEncipherment" \ - -addext "extendedKeyUsage = serverAuth"; then - echo "Failed to generate certificates" - exit 1 - fi - - # Set proper permissions and ownership - chmod 640 tls.key tls.crt - chown openbao:openbao tls.key tls.crt - - # Move files to final location - mv tls.key tls.crt /opt/openbao/tls/ - - # Install certificate to system - install -m 644 /opt/openbao/tls/tls.crt /usr/local/share/ca-certificates/openbao.crt - update-ca-certificates - - # Only cleanup temp directory - rm -rf "$TEMP_DIR" -fi diff --git a/src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.service b/src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.service index de173d0a68..3cc7389fca 100644 --- a/src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.service +++ b/src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.service @@ -1,14 +1,12 @@ [Unit] -Description=X-Road OpenBao Auto Unseal Service +Description=X-Road OpenBao Auto Init Service After=network.target openbao.service Requires=openbao.service BindsTo=openbao.service [Service] Type=oneshot -User=xroad -Group=xroad -ExecStart=/usr/share/xroad/scripts/secret-store-unseal.sh +ExecStart=/usr/share/xroad/scripts/secret-store-init.sh RemainAfterExit=yes [Install]