hosts: remove vaulttest01

Test host no longer needed.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

flake.nix

@@ -204,15 +204,6 @@
             ./hosts/vault01
           ];
         };
-        vaulttest01 = nixpkgs.lib.nixosSystem {
-          inherit system;
-          specialArgs = {
-            inherit inputs self sops-nix;
-          };
-          modules = commonModules ++ [
-            ./hosts/vaulttest01
-          ];
-        };
       };
       packages = forAllSystems (
         { pkgs }:

hosts/vaulttest01/configuration.nix

@@ -1,135 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-let
-  vault-test-script = pkgs.writeShellApplication {
-    name = "vault-test";
-    text = ''
-      echo "=== Vault Secret Test ==="
-      echo "Secret path: hosts/vaulttest01/test-service"
-
-      if [ -f /run/secrets/test-service/password ]; then
-        echo "✓ Password file exists"
-        echo "Password length: $(wc -c < /run/secrets/test-service/password)"
-      else
-        echo "✗ Password file missing!"
-        exit 1
-      fi
-
-      if [ -d /var/lib/vault/cache/test-service ]; then
-        echo "✓ Cache directory exists"
-      else
-        echo "✗ Cache directory missing!"
-        exit 1
-      fi
-
-      echo "Test successful!"
-    '';
-  };
-in
-{
-  imports = [
-    ../template2/hardware-configuration.nix
-
-    ../../system
-    ../../common/vm
-  ];
-
-  homelab.host = {
-    tier = "test";
-    priority = "low";
-    role = "vault";
-  };
-
-  nixpkgs.config.allowUnfree = true;
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/vda";
-
-  networking.hostName = "vaulttest01";
-  networking.domain = "home.2rjus.net";
-  networking.useNetworkd = true;
-  networking.useDHCP = false;
-  services.resolved.enable = true;
-  networking.nameservers = [
-    "10.69.13.5"
-    "10.69.13.6"
-  ];
-
-  systemd.network.enable = true;
-  systemd.network.networks."ens18" = {
-    matchConfig.Name = "ens18";
-    address = [
-      "10.69.13.150/24"
-    ];
-    routes = [
-      { Gateway = "10.69.13.1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-  };
-  time.timeZone = "Europe/Oslo";
-
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-  ];
-  nix.settings.tarball-ttl = 0;
-  environment.systemPackages = with pkgs; [
-    vim
-    wget
-    git
-    htop # test deploy verification
-  ];
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  networking.firewall.enable = false;
-
-  # Testing config
-  # Enable Vault secrets management
-  vault.enable = true;
-  homelab.deploy.enable = true;
-
-  # Define a test secret
-  vault.secrets.test-service = {
-    secretPath = "hosts/vaulttest01/test-service";
-    restartTrigger = true;
-    restartInterval = "daily";
-    services = [ "vault-test" ];
-  };
-
-  # Create a test service that uses the secret
-  systemd.services.vault-test = {
-    description = "Test Vault secret fetching";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "vault-secret-test-service.service" ];
-
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-
-      ExecStart = lib.getExe vault-test-script;
-
-      StandardOutput = "journal+console";
-    };
-  };
-
-  # Test ACME certificate issuance from OpenBao PKI
-  # Override the global ACME server (from system/acme.nix) to use OpenBao instead of step-ca
-  security.acme.defaults.server = lib.mkForce "https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory";
-
-  # Request a certificate for this host
-  # Using HTTP-01 challenge with standalone listener on port 80
-  security.acme.certs."vaulttest01.home.2rjus.net" = {
-    listenHTTP = ":80";
-    enableDebugLogs = true;
-  };
-
-  system.stateVersion = "25.11"; # Did you read the comment?
-}
-

hosts/vaulttest01/default.nix

@@ -1,5 +0,0 @@
-{ ... }: {
-  imports = [
-    ./configuration.nix
-  ];
-}

terraform/vault/approle.tf

@@ -101,11 +101,6 @@ locals {
       ]
     }
 
-    "vaulttest01" = {
-      paths = [
-        "secret/data/hosts/vaulttest01/*",
-      ]
-    }
   }
 }
 

terraform/vault/hosts-generated.tf

@@ -5,12 +5,6 @@
 # Each host gets access to its own secrets under hosts/<hostname>/*
 locals {
   generated_host_policies = {
-    "vaulttest01" = {
-      paths = [
-        "secret/data/hosts/vaulttest01/*",
-      ]
-    }
-
   }
 
   # Placeholder secrets - user should add actual secrets manually or via tofu

terraform/vault/secrets.tf

@@ -45,12 +45,6 @@ locals {
       password_length = 24
     }
 
-    # TODO: Remove after testing
-    "hosts/vaulttest01/test-service" = {
-      auto_generate   = true
-      password_length = 32
-    }
-
     # Shared backup password (auto-generated, add alongside existing restic key)
     "shared/backup/password" = {
       auto_generate   = true

terraform/vms.tf

@@ -45,14 +45,6 @@ locals {
       disk_size    = "20G"
       flake_branch = "vault-setup" # Bootstrap from this branch instead of master
     }
-    "vaulttest01" = {
-      ip                  = "10.69.13.150/24"
-      cpu_cores           = 2
-      memory              = 2048
-      disk_size           = "20G"
-      flake_branch        = "pki-migration"
-      vault_wrapped_token = "s.UCpQCOp7cOKDdtGGBvfRWwAt"
-    }
   }
 
   # Compute VM configurations with defaults applied