diff --git a/flake.nix b/flake.nix index 95cbcb6..ba1b16e 100644 --- a/flake.nix +++ b/flake.nix @@ -204,15 +204,6 @@ ./hosts/vault01 ]; }; - vaulttest01 = nixpkgs.lib.nixosSystem { - inherit system; - specialArgs = { - inherit inputs self sops-nix; - }; - modules = commonModules ++ [ - ./hosts/vaulttest01 - ]; - }; }; packages = forAllSystems ( { pkgs }: diff --git a/hosts/vaulttest01/configuration.nix b/hosts/vaulttest01/configuration.nix deleted file mode 100644 index 2165a9f..0000000 --- a/hosts/vaulttest01/configuration.nix +++ /dev/null @@ -1,135 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: - -let - vault-test-script = pkgs.writeShellApplication { - name = "vault-test"; - text = '' - echo "=== Vault Secret Test ===" - echo "Secret path: hosts/vaulttest01/test-service" - - if [ -f /run/secrets/test-service/password ]; then - echo "✓ Password file exists" - echo "Password length: $(wc -c < /run/secrets/test-service/password)" - else - echo "✗ Password file missing!" - exit 1 - fi - - if [ -d /var/lib/vault/cache/test-service ]; then - echo "✓ Cache directory exists" - else - echo "✗ Cache directory missing!" - exit 1 - fi - - echo "Test successful!" - ''; - }; -in -{ - imports = [ - ../template2/hardware-configuration.nix - - ../../system - ../../common/vm - ]; - - homelab.host = { - tier = "test"; - priority = "low"; - role = "vault"; - }; - - nixpkgs.config.allowUnfree = true; - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/vda"; - - networking.hostName = "vaulttest01"; - networking.domain = "home.2rjus.net"; - networking.useNetworkd = true; - networking.useDHCP = false; - services.resolved.enable = true; - networking.nameservers = [ - "10.69.13.5" - "10.69.13.6" - ]; - - systemd.network.enable = true; - systemd.network.networks."ens18" = { - matchConfig.Name = "ens18"; - address = [ - "10.69.13.150/24" - ]; - routes = [ - { Gateway = "10.69.13.1"; } - ]; - linkConfig.RequiredForOnline = "routable"; - }; - time.timeZone = "Europe/Oslo"; - - nix.settings.experimental-features = [ - "nix-command" - "flakes" - ]; - nix.settings.tarball-ttl = 0; - environment.systemPackages = with pkgs; [ - vim - wget - git - htop # test deploy verification - ]; - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - networking.firewall.enable = false; - - # Testing config - # Enable Vault secrets management - vault.enable = true; - homelab.deploy.enable = true; - - # Define a test secret - vault.secrets.test-service = { - secretPath = "hosts/vaulttest01/test-service"; - restartTrigger = true; - restartInterval = "daily"; - services = [ "vault-test" ]; - }; - - # Create a test service that uses the secret - systemd.services.vault-test = { - description = "Test Vault secret fetching"; - wantedBy = [ "multi-user.target" ]; - after = [ "vault-secret-test-service.service" ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - - ExecStart = lib.getExe vault-test-script; - - StandardOutput = "journal+console"; - }; - }; - - # Test ACME certificate issuance from OpenBao PKI - # Override the global ACME server (from system/acme.nix) to use OpenBao instead of step-ca - security.acme.defaults.server = lib.mkForce "https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory"; - - # Request a certificate for this host - # Using HTTP-01 challenge with standalone listener on port 80 - security.acme.certs."vaulttest01.home.2rjus.net" = { - listenHTTP = ":80"; - enableDebugLogs = true; - }; - - system.stateVersion = "25.11"; # Did you read the comment? -} - diff --git a/hosts/vaulttest01/default.nix b/hosts/vaulttest01/default.nix deleted file mode 100644 index 57ed4b4..0000000 --- a/hosts/vaulttest01/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ ... }: { - imports = [ - ./configuration.nix - ]; -} \ No newline at end of file diff --git a/terraform/vault/approle.tf b/terraform/vault/approle.tf index 6f2fd05..6719dff 100644 --- a/terraform/vault/approle.tf +++ b/terraform/vault/approle.tf @@ -101,11 +101,6 @@ locals { ] } - "vaulttest01" = { - paths = [ - "secret/data/hosts/vaulttest01/*", - ] - } } } diff --git a/terraform/vault/hosts-generated.tf b/terraform/vault/hosts-generated.tf index 204893d..7b3049b 100644 --- a/terraform/vault/hosts-generated.tf +++ b/terraform/vault/hosts-generated.tf @@ -5,12 +5,6 @@ # Each host gets access to its own secrets under hosts//* locals { generated_host_policies = { - "vaulttest01" = { - paths = [ - "secret/data/hosts/vaulttest01/*", - ] - } - } # Placeholder secrets - user should add actual secrets manually or via tofu diff --git a/terraform/vault/secrets.tf b/terraform/vault/secrets.tf index bfc9bd7..8f5556f 100644 --- a/terraform/vault/secrets.tf +++ b/terraform/vault/secrets.tf @@ -45,12 +45,6 @@ locals { password_length = 24 } - # TODO: Remove after testing - "hosts/vaulttest01/test-service" = { - auto_generate = true - password_length = 32 - } - # Shared backup password (auto-generated, add alongside existing restic key) "shared/backup/password" = { auto_generate = true diff --git a/terraform/vms.tf b/terraform/vms.tf index de8e2af..7fb4880 100644 --- a/terraform/vms.tf +++ b/terraform/vms.tf @@ -45,14 +45,6 @@ locals { disk_size = "20G" flake_branch = "vault-setup" # Bootstrap from this branch instead of master } - "vaulttest01" = { - ip = "10.69.13.150/24" - cpu_cores = 2 - memory = 2048 - disk_size = "20G" - flake_branch = "pki-migration" - vault_wrapped_token = "s.UCpQCOp7cOKDdtGGBvfRWwAt" - } } # Compute VM configurations with defaults applied