diff --git a/TODO.md b/TODO.md index 553ed40..ab93fc4 100644 --- a/TODO.md +++ b/TODO.md @@ -185,7 +185,7 @@ create-host \ **Current Architecture:** ``` -vault.home.2rjus.net (10.69.13.19) +vault01.home.2rjus.net (10.69.13.19) ├─ KV Secrets Engine (ready to replace sops-nix) │ ├─ secret/hosts/{hostname}/* │ ├─ secret/services/{service}/* @@ -243,7 +243,7 @@ vault.home.2rjus.net (10.69.13.19) - [x] File storage backend - [x] Self-signed TLS certificates via LoadCredential - [x] Deploy to infrastructure - - [x] DNS entry added for vault.home.2rjus.net + - [x] DNS entry added for vault01.home.2rjus.net - [x] VM deployed via terraform - [x] Verified OpenBao running and auto-unsealing @@ -353,7 +353,7 @@ vault.home.2rjus.net (10.69.13.19) - [x] Enabled ACME on intermediate CA - [x] Created PKI role for `*.home.2rjus.net` - [x] Set certificate TTLs (30 day max) and allowed domains - - [x] ACME directory: `https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory` + - [x] ACME directory: `https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory` - [ ] Download and distribute root CA certificate - [ ] Export root CA: `bao read -field=certificate pki/cert/ca > homelab-root-ca.crt` - [ ] Add to NixOS trust store on all hosts via `security.pki.certificateFiles` @@ -368,7 +368,7 @@ vault.home.2rjus.net (10.69.13.19) - [ ] Update service configuration - [ ] Migrate hosts from step-ca to OpenBao - [ ] Update `system/acme.nix` to use OpenBao ACME endpoint - - [ ] Change server to `https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory` + - [ ] Change server to `https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory` - [ ] Test on one host (non-critical service) - [ ] Roll out to all hosts via auto-upgrade - [ ] Configure SSH CA in OpenBao (optional, future work) diff --git a/docs/vault-bootstrap-implementation.md b/docs/vault-bootstrap-implementation.md index 8a47580..5bf60e8 100644 --- a/docs/vault-bootstrap-implementation.md +++ b/docs/vault-bootstrap-implementation.md @@ -37,7 +37,7 @@ Phase 4d implements automatic Vault/OpenBao integration for new NixOS hosts, ena │ Cloud-init (VM Provisioning) │ │ │ │ /etc/environment: │ -│ VAULT_ADDR=https://vault.home.2rjus.net:8200 │ +│ VAULT_ADDR=https://vault01.home.2rjus.net:8200 │ │ VAULT_WRAPPED_TOKEN=hvs.CAES... │ │ VAULT_SKIP_VERIFY=1 │ └─────────────────────────────────────────────────────────────┘ @@ -117,7 +117,7 @@ vault-fetch hosts/monitoring01/grafana /run/secrets/grafana ``` **Environment Variables**: -- `VAULT_ADDR`: Vault server (default: https://vault.home.2rjus.net:8200) +- `VAULT_ADDR`: Vault server (default: https://vault01.home.2rjus.net:8200) - `VAULT_SKIP_VERIFY`: Skip TLS verification (default: 1) **Error Handling**: @@ -237,7 +237,7 @@ fi write_files: - path: /etc/environment content: | - VAULT_ADDR=https://vault.home.2rjus.net:8200 + VAULT_ADDR=https://vault01.home.2rjus.net:8200 VAULT_WRAPPED_TOKEN=${vault_wrapped_token} VAULT_SKIP_VERIFY=1 ``` diff --git a/docs/vault-bootstrap-testing.md b/docs/vault-bootstrap-testing.md index 9e6cf93..ed2eb45 100644 --- a/docs/vault-bootstrap-testing.md +++ b/docs/vault-bootstrap-testing.md @@ -6,7 +6,7 @@ This guide walks through testing the complete Vault bootstrap workflow implement Before testing, ensure: -1. **Vault server is running**: vault01 (vault.home.2rjus.net:8200) is accessible +1. **Vault server is running**: vault01 (vault01.home.2rjus.net:8200) is accessible 2. **Vault access**: You have a Vault token with admin permissions (set `BAO_TOKEN` env var) 3. **Terraform installed**: OpenTofu is available in your PATH 4. **Git repository clean**: All Phase 4d changes are committed to a branch @@ -172,7 +172,7 @@ tofu apply **Verify the secret exists:** ```bash -export VAULT_ADDR=https://vault.home.2rjus.net:8200 +export VAULT_ADDR=https://vault01.home.2rjus.net:8200 export VAULT_SKIP_VERIFY=1 vault kv get secret/hosts/vaulttest01/test-service @@ -227,7 +227,7 @@ systemctl status vault-secret-test-service.service journalctl -u vault-secret-test-service.service # Should show successful secret fetch: -# [vault-fetch] Authenticating to Vault at https://vault.home.2rjus.net:8200 +# [vault-fetch] Authenticating to Vault at https://vault01.home.2rjus.net:8200 # [vault-fetch] Successfully authenticated to Vault # [vault-fetch] Fetching secret from path: hosts/vaulttest01/test-service # [vault-fetch] Writing secrets to /run/secrets/test-service diff --git a/hosts/template2/bootstrap.nix b/hosts/template2/bootstrap.nix index 322e171..8aac949 100644 --- a/hosts/template2/bootstrap.nix +++ b/hosts/template2/bootstrap.nix @@ -27,7 +27,7 @@ let if [ -n "''${VAULT_WRAPPED_TOKEN:-}" ]; then echo "Unwrapping Vault token to get AppRole credentials..." - VAULT_ADDR="''${VAULT_ADDR:-https://vault.home.2rjus.net:8200}" + VAULT_ADDR="''${VAULT_ADDR:-https://vault01.home.2rjus.net:8200}" # Unwrap the token to get role_id and secret_id UNWRAP_RESPONSE=$(curl -sk -X POST \ diff --git a/scripts/create-host/vault_helper.py b/scripts/create-host/vault_helper.py index ce15683..368fb9b 100644 --- a/scripts/create-host/vault_helper.py +++ b/scripts/create-host/vault_helper.py @@ -25,7 +25,7 @@ def get_vault_client(vault_addr: Optional[str] = None, vault_token: Optional[str """ # Get Vault address if vault_addr is None: - vault_addr = os.getenv("BAO_ADDR", "https://vault.home.2rjus.net:8200") + vault_addr = os.getenv("BAO_ADDR", "https://vault01.home.2rjus.net:8200") # Get Vault token if vault_token is None: diff --git a/scripts/vault-fetch/README.md b/scripts/vault-fetch/README.md index 80d7b27..688f20c 100644 --- a/scripts/vault-fetch/README.md +++ b/scripts/vault-fetch/README.md @@ -45,7 +45,7 @@ If Vault is unreachable or authentication fails: ## Environment Variables -- `VAULT_ADDR`: Vault server address (default: `https://vault.home.2rjus.net:8200`) +- `VAULT_ADDR`: Vault server address (default: `https://vault01.home.2rjus.net:8200`) - `VAULT_SKIP_VERIFY`: Skip TLS verification (default: `1`) ## Integration with NixOS diff --git a/scripts/vault-fetch/vault-fetch.sh b/scripts/vault-fetch/vault-fetch.sh index 6fce712..92a1e3f 100644 --- a/scripts/vault-fetch/vault-fetch.sh +++ b/scripts/vault-fetch/vault-fetch.sh @@ -26,7 +26,7 @@ OUTPUT_DIR="$2" CACHE_DIR="${3:-/var/lib/vault/cache/$(basename "$OUTPUT_DIR")}" # Vault configuration -VAULT_ADDR="${VAULT_ADDR:-https://vault.home.2rjus.net:8200}" +VAULT_ADDR="${VAULT_ADDR:-https://vault01.home.2rjus.net:8200}" VAULT_SKIP_VERIFY="${VAULT_SKIP_VERIFY:-1}" APPROLE_DIR="/var/lib/vault/approle" diff --git a/system/vault-secrets.nix b/system/vault-secrets.nix index 98fe2e6..f6b5e7c 100644 --- a/system/vault-secrets.nix +++ b/system/vault-secrets.nix @@ -124,7 +124,7 @@ in vaultAddress = mkOption { type = types.str; - default = "https://vault.home.2rjus.net:8200"; + default = "https://vault01.home.2rjus.net:8200"; description = "Vault server address"; }; diff --git a/terraform/vault/README.md b/terraform/vault/README.md index eb4d3b7..42120a0 100644 --- a/terraform/vault/README.md +++ b/terraform/vault/README.md @@ -19,7 +19,7 @@ Manages the following OpenBao resources: 2. **Edit `terraform.tfvars` with your OpenBao credentials:** ```hcl - vault_address = "https://vault.home.2rjus.net:8200" + vault_address = "https://vault01.home.2rjus.net:8200" vault_token = "hvs.your-root-token-here" vault_skip_tls_verify = true ``` @@ -120,7 +120,7 @@ bao write pki_int/config/acme enabled=true ACME directory endpoint: ``` -https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory +https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory ``` Use with ACME clients (lego, certbot, cert-manager, etc.): @@ -128,7 +128,7 @@ Use with ACME clients (lego, certbot, cert-manager, etc.): # Example with lego lego --email admin@home.2rjus.net \ --dns manual \ - --server https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory \ + --server https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory \ --accept-tos \ run -d test.home.2rjus.net ``` @@ -239,18 +239,18 @@ After deploying this configuration, perform these one-time setup tasks: ### 1. Enable ACME ```bash -export BAO_ADDR='https://vault.home.2rjus.net:8200' +export BAO_ADDR='https://vault01.home.2rjus.net:8200' export BAO_TOKEN='your-root-token' export BAO_SKIP_VERIFY=1 # Configure cluster path (required for ACME) -bao write pki_int/config/cluster path=https://vault.home.2rjus.net:8200/v1/pki_int +bao write pki_int/config/cluster path=https://vault01.home.2rjus.net:8200/v1/pki_int # Enable ACME on intermediate CA bao write pki_int/config/acme enabled=true # Verify ACME is enabled -curl -k https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory +curl -k https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory ``` ### 2. Download Root CA Certificate diff --git a/terraform/vault/pki.tf b/terraform/vault/pki.tf index d8b1560..f3ddea3 100644 --- a/terraform/vault/pki.tf +++ b/terraform/vault/pki.tf @@ -16,7 +16,7 @@ # # 1. ACME (Automated Certificate Management Environment) # - Services fetch certificates automatically using ACME protocol -# - ACME directory: https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory +# - ACME directory: https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory # - Enable ACME: bao write pki_int/config/acme enabled=true # - Compatible with cert-manager, lego, certbot, etc. # @@ -149,7 +149,7 @@ locals { static_certificates = { # Example: Issue a certificate for a specific service # "vault" = { - # common_name = "vault.home.2rjus.net" + # common_name = "vault01.home.2rjus.net" # alt_names = ["vault01.home.2rjus.net"] # ip_sans = ["10.69.13.19"] # ttl = "8760h" # 1 year diff --git a/terraform/vault/terraform.tfvars.example b/terraform/vault/terraform.tfvars.example index 23f9f87..bde518a 100644 --- a/terraform/vault/terraform.tfvars.example +++ b/terraform/vault/terraform.tfvars.example @@ -1,6 +1,6 @@ # Copy this file to terraform.tfvars and fill in your values # terraform.tfvars is gitignored to keep credentials safe -vault_address = "https://vault.home.2rjus.net:8200" +vault_address = "https://vault01.home.2rjus.net:8200" vault_token = "hvs.XXXXXXXXXXXXXXXXXXXX" vault_skip_tls_verify = true diff --git a/terraform/vault/variables.tf b/terraform/vault/variables.tf index be0a9d1..52c90e6 100644 --- a/terraform/vault/variables.tf +++ b/terraform/vault/variables.tf @@ -1,7 +1,7 @@ variable "vault_address" { description = "OpenBao server address" type = string - default = "https://vault.home.2rjus.net:8200" + default = "https://vault01.home.2rjus.net:8200" } variable "vault_token" {