OpenCHAMI · travisbcotton · Apr 2, 2026 · Apr 7, 2026 · Apr 7, 2026 · Apr 7, 2026
diff --git a/scripts/tokensmith_bootstrap_token.sh b/scripts/tokensmith_bootstrap_token.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+CLIENT="${1}"
+SERVICE="smd"
+
+TOKENSMITH_BOOTSTRAP_TOKEN=$(podman exec -e SERVICE=$SERVICE -e CLIENT=$CLIENT tokensmith /bin/sh -c "\
+			/usr/local/bin/tokensmith mint-bootstrap-token \
+			--key-file /tmp/tokensmith/keys/private.pem \
+			--service-id ${CLIENT}-client \
+			--target-service ${SERVICE}
+			")
+SECRET_NAME="${CLIENT}-bootstrap-token"
+printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret rm ${SECRET_NAME} 2>/dev/null || true
+printf '%s' "$TOKENSMITH_BOOTSTRAP_TOKEN" | podman secret create ${SECRET_NAME} -
diff --git a/systemd/configs/openchami.env b/systemd/configs/openchami.env
@@ -14,20 +14,6 @@ URLS_LOGOUT=https://${SYSTEM_URL}/logout
 # Environemnt Variables
 POSTGRES_USER=ochami
 
-# Environemnt Variables
-BSS_USESQL=true
-BSS_INSECURE=true
-BSS_DEBUG=true
-BSS_DBHOST=postgres
-BSS_DBPORT=5432
-BSS_DBNAME=bssdb
-BSS_DBUSER=bss-user
-BSS_JWKS_URL=http://opaal:3333/keys
-BSS_OAUTH2_ADMIN_BASE_URL=http://opaal:3333
-BSS_OAUTH2_PUBLIC_BASE_URL=http://opaal:3333
-BSS_IPXE_SERVER=${SYSTEM_URL}
-BSS_CHAIN_PROTO=https
-
 # Environemnt Variables
 SMD_DBHOST=postgres
 SMD_DBPORT=5432
@@ -36,6 +22,15 @@ SMD_DBUSER=smd-user
 SMD_DBOPTS=sslmode=disable
 SMD_JWKS_URL=http://opaal:3333/keys
 
+# Environemnt Variables
+TOKENSMITH_ISSUER=https://tokensmith.openchami.dev
+TOKENSMITH_CLUSTER_ID=demo-cluster
+TOKENSMITH_OPENCHAMI_ID=demo-openchami
+TOKENSMITH_CONFIG=/tokensmith/config.json
+TOKENSMITH_KEY_DIR=/tmp/tokensmith/keys
+TOKENSMITH_OIDC_PROVIDER=http://hydra:4444
+TOKENSMITH_PORT=8080
+
 # Environemnt Variables
 STEPPATH=/home/step
 DOCKER_STEPCA_INIT_NAME=OpenCHAMI
@@ -53,6 +48,4 @@ ANSIBLE_HOST_KEY_CHECKING=False
 # Environemnt Variables for cloud-init
 LISTEN=:27777
 SMD_URL=http://smd:27779
-OPAAL_URL=http://opaal:3333
-JWKS_URL=http://opaal:3333/keys
 IMPERSONATION=true
diff --git a/systemd/configs/tokensmith.json b/systemd/configs/tokensmith.json
@@ -0,0 +1,19 @@
+{
+  "groupScopes": {
+    "admin": [
+      "admin",
+      "write",
+      "read"
+    ],
+    "operator": [
+      "write",
+      "read"
+    ],
+    "user": [
+      "read"
+    ],
+    "viewer": [
+      "read"
+    ]
+  }
+}
diff --git a/systemd/containers/boot-service.service b/systemd/containers/boot-service.service
@@ -0,0 +1,30 @@
+[Unit]
+Description=The bss container
+PartOf=openchami.target
+
+# Ensure SMD has started already
+Wants=smd.service tokensmith.service
+After=smd.service tokensmith.service
+
+[Container]
+ContainerName=boot-service
+HostName=boot-service
+Image=boot-service:test
+
+# Environment Variables
+EnvironmentFile=/etc/openchami/configs/openchami.env
+
+# Secrets
+Secret=boot-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN
+
+# Networks for the Container to use
+Network=openchami-internal.network
+
+# Proxy settings
+PodmanArgs=--http-proxy=false
+
+Exec=serve --enable-auth --tokensmith_url=http://tokensmith:8080 --hsm-url=http://smd:27779 --tokensmith-target-service smd
+
+[Service]
+ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh boot-service
+Restart=always
diff --git a/systemd/containers/bss-init.container b/systemd/containers/bss-init.container
diff --git a/systemd/containers/bss.container b/systemd/containers/bss.container
diff --git a/systemd/containers/cloud-init-server.container b/systemd/containers/cloud-init-server.container
diff --git a/systemd/containers/coresmd-coredhcp.container b/systemd/containers/coresmd-coredhcp.container
@@ -1,7 +1,7 @@
 [Unit]
 Description=The CoreSMD CoreDHCP container
-Wants=haproxy.service
-After=haproxy.service
+Wants=tokensmith.service smd.service
+After=tokensmith.service smd.service
 PartOf=openchami.target
 
 [Container]

diff --git a/systemd/containers/haproxy.container b/systemd/containers/haproxy.container
@@ -1,7 +1,7 @@
 [Unit]
 Description=The haproxy container
-Wants=bss.service cloud-init-server.service smd.service acme-deploy.service
-After=openchami-external-network.service opaal.service smd.service bss.service acme-deploy.service cloud-init-server.service
+Wants=boot-service.service metadata-service.service smd.service acme-deploy.service
+After=openchami-external-network.service smd.service boot-service.service acme-deploy.service metadata-service.service
 Requires=openchami-external-network.service acme-deploy.service
 PartOf=openchami.target
 

diff --git a/systemd/containers/hydra-gen-jwks.container b/systemd/containers/hydra-gen-jwks.container
diff --git a/systemd/containers/hydra-migrate.container b/systemd/containers/hydra-migrate.container
diff --git a/systemd/containers/hydra.container b/systemd/containers/hydra.container
diff --git a/systemd/containers/metadata-service.service b/systemd/containers/metadata-service.service
@@ -0,0 +1,27 @@
+[Unit]
+Description=The metadata-service container
+Wants=smd.service
+After=smd.service tokensmith.service
+PartOf=openchami.target
+
+[Container]
+ContainerName=metadata-service
+HostName=metadata-service
+Image=metadata-service:test
+
+Secret=metadata-service-bootstrap-token,type=env,target=TOKENSMITH_BOOTSTRAP_TOKEN
+
+# Environment Variables
+EnvironmentFile=/etc/openchami/configs/openchami.env
+
+Exec=serve --tokensmith-url=http://tokensmith:8080
+
+# Networks for the Container to use
+Network=openchami-internal.network
+
+# Proxy settings
+PodmanArgs=--http-proxy=false
+
+[Service]
+ExecStartPre=/usr/local/sbin/tokensmith_bootstrap_token.sh metadata-service
+Restart=always
diff --git a/systemd/containers/opaal-idp.container b/systemd/containers/opaal-idp.container