From 1ae0e67e805fb1509cd6f0a753ff83ddcd59cd0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Mon, 2 Feb 2026 22:59:46 +0100 Subject: [PATCH] fixup! vault: implement bootstrap integration --- flake.nix | 16 ++++ hosts/vaulttest01/configuration.nix | 110 ++++++++++++++++++++++++++++ hosts/vaulttest01/default.nix | 5 ++ terraform/variables.tf | 3 +- terraform/vault/hosts-generated.tf | 6 ++ terraform/vault/secrets.tf | 6 +- terraform/vms.tf | 6 ++ 7 files changed, 150 insertions(+), 2 deletions(-) create mode 100644 hosts/vaulttest01/configuration.nix create mode 100644 hosts/vaulttest01/default.nix diff --git a/flake.nix b/flake.nix index ca95e7a..e435c97 100644 --- a/flake.nix +++ b/flake.nix @@ -366,6 +366,22 @@ sops-nix.nixosModules.sops ]; }; + vaulttest01 = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { + inherit inputs self sops-nix; + }; + modules = [ + ( + { config, pkgs, ... }: + { + nixpkgs.overlays = commonOverlays; + } + ) + ./hosts/vaulttest01 + sops-nix.nixosModules.sops + ]; + }; }; packages = forAllSystems ( { pkgs }: diff --git a/hosts/vaulttest01/configuration.nix b/hosts/vaulttest01/configuration.nix new file mode 100644 index 0000000..76342ff --- /dev/null +++ b/hosts/vaulttest01/configuration.nix @@ -0,0 +1,110 @@ +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ + ../template2/hardware-configuration.nix + + ../../system + ../../common/vm + ]; + + nixpkgs.config.allowUnfree = true; + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/vda"; + + networking.hostName = "vaulttest01"; + networking.domain = "home.2rjus.net"; + networking.useNetworkd = true; + networking.useDHCP = false; + services.resolved.enable = true; + networking.nameservers = [ + "10.69.13.5" + "10.69.13.6" + ]; + + systemd.network.enable = true; + systemd.network.networks."ens18" = { + matchConfig.Name = "ens18"; + address = [ + "10.69.13.150/24" + ]; + routes = [ + { Gateway = "10.69.13.1"; } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + time.timeZone = "Europe/Oslo"; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + nix.settings.tarball-ttl = 0; + environment.systemPackages = with pkgs; [ + vim + wget + git + ]; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + # Testing config + # Enable Vault secrets management + vault.enable = true; + + # Define a test secret + vault.secrets.test-service = { + secretPath = "hosts/vaulttest01/test-service"; + restartTrigger = true; + restartInterval = "daily"; + services = [ "vault-test" ]; + }; + + # Create a test service that uses the secret + systemd.services.vault-test = { + description = "Test Vault secret fetching"; + wantedBy = [ "multi-user.target" ]; + after = [ "vault-secret-test-service.service" ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + + ExecStart = pkgs.writeShellScript "vault-test" '' + echo "=== Vault Secret Test ===" + echo "Secret path: hosts/vaulttest01/test-service" + + if [ -f /run/secrets/test-service/password ]; then + echo "✓ Password file exists" + echo "Password length: $(wc -c < /run/secrets/test-service/password)" + else + echo "✗ Password file missing!" + exit 1 + fi + + if [ -d /var/lib/vault/cache/test-service ]; then + echo "✓ Cache directory exists" + else + echo "✗ Cache directory missing!" + exit 1 + fi + + echo "Test successful!" + ''; + + StandardOutput = "journal+console"; + }; + }; + + system.stateVersion = "25.11"; # Did you read the comment? +} + diff --git a/hosts/vaulttest01/default.nix b/hosts/vaulttest01/default.nix new file mode 100644 index 0000000..57ed4b4 --- /dev/null +++ b/hosts/vaulttest01/default.nix @@ -0,0 +1,5 @@ +{ ... }: { + imports = [ + ./configuration.nix + ]; +} \ No newline at end of file diff --git a/terraform/variables.tf b/terraform/variables.tf index fe13cb0..29de2fb 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -33,7 +33,8 @@ variable "default_target_node" { variable "default_template_name" { description = "Default template VM name to clone from" type = string - default = "nixos-25.11.20260128.fa83fd8" + # default = "nixos-25.11.20260128.fa83fd8" + default = "nixos-25.11.20260131.41e21c" } variable "default_ssh_public_key" { diff --git a/terraform/vault/hosts-generated.tf b/terraform/vault/hosts-generated.tf index eb28aa7..5f9e337 100644 --- a/terraform/vault/hosts-generated.tf +++ b/terraform/vault/hosts-generated.tf @@ -5,6 +5,12 @@ # Each host gets access to its own secrets under hosts//* locals { generated_host_policies = { + "vaulttest01" = { + paths = [ + "secret/data/hosts/vaulttest01/*", + ] + } + } # Placeholder secrets - user should add actual secrets manually or via tofu diff --git a/terraform/vault/secrets.tf b/terraform/vault/secrets.tf index 1f65d82..72f3996 100644 --- a/terraform/vault/secrets.tf +++ b/terraform/vault/secrets.tf @@ -46,7 +46,11 @@ locals { auto_generate = true password_length = 24 } - + # TODO: Remove after testing + "hosts/vaulttest01/test-service" = { + auto_generate = true + password_length = 24 + } } } diff --git a/terraform/vms.tf b/terraform/vms.tf index 754501f..c679cec 100644 --- a/terraform/vms.tf +++ b/terraform/vms.tf @@ -45,6 +45,12 @@ locals { disk_size = "20G" flake_branch = "vault-setup" # Bootstrap from this branch instead of master } + "vaulttest01" = { + ip = "10.69.13.150/24" + cpu_cores = 2 + memory = 2048 + disk_size = "20G" + } } # Compute VM configurations with defaults applied