torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Merge pull request 'add-deploy-homelab' (#28) from add-deploy-homelab into master
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m9s
Details

Browse Source 
Reviewed-on: #28
This commit was merged in pull request #28.
This commit is contained in:
Torjus Håkestad
2026-02-07 05:56:51 +00:00
parent 2f195d26d3 c214f8543c
commit 6e93b8eae3
17 changed files with 193 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
flake.lock generated
View File

@@ -21,6 +21,27 @@
"url": "https://git.t-juice.club/torjus/alerttonotify" "url": "https://git.t-juice.club/torjus/alerttonotify"
} }
}, },
"homelab-deploy": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1770443536,
"narHash": "sha256-UufZIVggiioMFDSjKx+ifgkDOk9alNSiRmkvc4/+HIA=",
"ref": "master",
"rev": "95b795dcfd86b7b36045bba67e536b3a1c61dd33",
"revCount": 20,
"type": "git",
"url": "https://git.t-juice.club/torjus/homelab-deploy"
},
"original": {
"ref": "master",
"type": "git",
"url": "https://git.t-juice.club/torjus/homelab-deploy"
}
},
"labmon": { "labmon": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -97,6 +118,7 @@
"root": { "root": {
"inputs": { "inputs": {
"alerttonotify": "alerttonotify", "alerttonotify": "alerttonotify",
"homelab-deploy": "homelab-deploy",
"labmon": "labmon", "labmon": "labmon",
"nixos-exporter": "nixos-exporter", "nixos-exporter": "nixos-exporter",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",

15
flake.nix
View File

@@ -21,6 +21,10 @@
url = "git+https://git.t-juice.club/torjus/nixos-exporter"; url = "git+https://git.t-juice.club/torjus/nixos-exporter";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
homelab-deploy = {
url = "git+https://git.t-juice.club/torjus/homelab-deploy?ref=master";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
}; };
outputs = outputs =
@@ -32,6 +36,7 @@
alerttonotify, alerttonotify,
labmon, labmon,
nixos-exporter, nixos-exporter,
homelab-deploy,
... ...
}@inputs: }@inputs:
let let
@@ -58,6 +63,7 @@
) )
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
nixos-exporter.nixosModules.default nixos-exporter.nixosModules.default
homelab-deploy.nixosModules.default
./modules/homelab ./modules/homelab
]; ];
allSystems = [ allSystems = [
@@ -219,11 +225,12 @@
{ pkgs }: { pkgs }:
{ {
default = pkgs.mkShell { default = pkgs.mkShell {
packages = with pkgs; [ packages = [
ansible pkgs.ansible
opentofu pkgs.opentofu
openbao pkgs.openbao
(pkgs.callPackage ./scripts/create-host { }) (pkgs.callPackage ./scripts/create-host { })
homelab-deploy.packages.${pkgs.system}.default
]; ];
}; };
} }

1
hosts/ha1/configuration.nix
View File

@@ -57,6 +57,7 @@
# Vault secrets management # Vault secrets management
vault.enable = true; vault.enable = true;
homelab.deploy.enable = true;
vault.secrets.backup-helper = { vault.secrets.backup-helper = {
secretPath = "shared/backup/password"; secretPath = "shared/backup/password";
extractKey = "password"; extractKey = "password";

1
hosts/http-proxy/configuration.nix
View File

@@ -61,6 +61,7 @@
"flakes" "flakes"
]; ];
vault.enable = true; vault.enable = true;
homelab.deploy.enable = true;
nix.settings.tarball-ttl = 0; nix.settings.tarball-ttl = 0;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

1
hosts/monitoring01/configuration.nix
View File

@@ -58,6 +58,7 @@
# Vault secrets management # Vault secrets management
vault.enable = true; vault.enable = true;
homelab.deploy.enable = true;
vault.secrets.backup-helper = { vault.secrets.backup-helper = {
secretPath = "shared/backup/password"; secretPath = "shared/backup/password";
extractKey = "password"; extractKey = "password";

1
hosts/nix-cache01/configuration.nix
View File

@@ -55,6 +55,7 @@
"flakes" "flakes"
]; ];
vault.enable = true; vault.enable = true;
homelab.deploy.enable = true;
nix.settings.tarball-ttl = 0; nix.settings.tarball-ttl = 0;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

1
hosts/ns1/configuration.nix
View File

@@ -48,6 +48,7 @@
"flakes" "flakes"
]; ];
vault.enable = true; vault.enable = true;
homelab.deploy.enable = true;
homelab.host = { homelab.host = {
role = "dns"; role = "dns";

1
hosts/ns2/configuration.nix
View File

@@ -48,6 +48,7 @@
"flakes" "flakes"
]; ];
vault.enable = true; vault.enable = true;
homelab.deploy.enable = true;
homelab.host = { homelab.host = {
role = "dns"; role = "dns";

1
hosts/vaulttest01/configuration.nix
View File

@@ -92,6 +92,7 @@ in
# Testing config # Testing config
# Enable Vault secrets management # Enable Vault secrets management
vault.enable = true; vault.enable = true;
homelab.deploy.enable = true;
# Define a test secret # Define a test secret
vault.secrets.test-service = { vault.secrets.test-service = {

1
modules/homelab/default.nix
View File

@@ -1,6 +1,7 @@
{ ... }: { ... }:
{ {
imports = [ imports = [
./deploy.nix
./dns.nix ./dns.nix
./host.nix ./host.nix
./monitoring.nix ./monitoring.nix

16
modules/homelab/deploy.nix Normal file
View File

@@ -0,0 +1,16 @@
{ config, lib, ... }:
{
options.homelab.deploy = {
enable = lib.mkEnableOption "homelab-deploy listener for NATS-based deployments";
};
config = {
assertions = [
{
assertion = config.homelab.deploy.enable -> config.vault.enable;
message = "homelab.deploy.enable requires vault.enable to be true (needed for NKey secret)";
}
];
};
}

56
services/nats/default.nix
View File

@@ -1,16 +1,18 @@
{ ... }: { ... }:
{ {
homelab.monitoring.scrapeTargets = [{ homelab.monitoring.scrapeTargets = [
job_name = "nats"; {
port = 7777; job_name = "nats";
}]; port = 7777;
}
];
services.prometheus.exporters.nats = { services.prometheus.exporters.nats = {
enable = true; enable = true;
url = "http://localhost:8222"; url = "http://localhost:8222";
extraFlags = [ extraFlags = [
"-varz" # General server info "-varz" # General server info
"-connz" # Connection info "-connz" # Connection info
"-jsz=all" # JetStream info "-jsz=all" # JetStream info
]; ];
}; };
@@ -38,6 +40,48 @@
} }
]; ];
}; };
DEPLOY = {
users = [
# Shared listener (all hosts use this)
{
nkey = "UCCZJSUGLCSLBBKHBPL4QA66TUMQUGIXGLIFTWDEH43MGWM3LDD232X4";
permissions = {
subscribe = [
"deploy.test.>"
"deploy.prod.>"
"deploy.discover"
];
publish = [
"deploy.responses.>"
"deploy.discover"
];
};
}
# Test deployer (MCP without admin)
{
nkey = "UBR66CX2ZNY5XNVQF5VBG4WFAF54LSGUYCUNNCEYRILDQ4NXDAD2THZU";
permissions = {
publish = [
"deploy.test.>"
"deploy.discover"
];
subscribe = [
"deploy.responses.>"
"deploy.discover"
];
};
}
# Admin deployer (full access)
{
nkey = "UD2BFB7DLM67P5UUVCKBUJMCHADIZLGGVUNSRLZE2ZC66FW2XT44P73Y";
permissions = {
publish = [ "deploy.>" ];
subscribe = [ "deploy.>" ];
};
}
];
};
}; };
system_account = "ADMIN"; system_account = "ADMIN";
jetstream = { jetstream = {

1
system/default.nix
View File

@@ -3,6 +3,7 @@
imports = [ imports = [
./acme.nix ./acme.nix
./autoupgrade.nix ./autoupgrade.nix
./homelab-deploy.nix
./monitoring ./monitoring
./motd.nix ./motd.nix
./packages.nix ./packages.nix

30
system/homelab-deploy.nix Normal file
View File

@@ -0,0 +1,30 @@
{ config, lib, ... }:
let
hostCfg = config.homelab.host;
in
{
config = lib.mkIf config.homelab.deploy.enable {
# Fetch listener NKey from Vault
vault.secrets.homelab-deploy-nkey = {
secretPath = "shared/homelab-deploy/listener-nkey";
extractKey = "nkey";
};
# Enable homelab-deploy listener
services.homelab-deploy.listener = {
enable = true;
tier = hostCfg.tier;
role = hostCfg.role;
natsUrl = "nats://nats1.home.2rjus.net:4222";
nkeyFile = "/run/secrets/homelab-deploy-nkey";
flakeUrl = "git+https://git.t-juice.club/torjus/nixos-servers.git";
};
# Ensure listener starts after vault secret is available
systemd.services.homelab-deploy-listener = {
after = [ "vault-secret-homelab-deploy-nkey.service" ];
requires = [ "vault-secret-homelab-deploy-nkey.service" ];
};
};
}

19
terraform/vault/approle.tf
View File

@@ -4,6 +4,17 @@ resource "vault_auth_backend" "approle" {
path = "approle" path = "approle"
} }
# Shared policy for homelab-deploy (all hosts need this for NATS-based deployments)
resource "vault_policy" "homelab_deploy" {
name = "homelab-deploy"
policy = <<EOT
path "secret/data/shared/homelab-deploy/*" {
capabilities = ["read", "list"]
}
EOT
}
# Define host access policies # Define host access policies
locals { locals {
host_policies = { host_policies = {
@@ -89,6 +100,12 @@ locals {
"secret/data/hosts/nix-cache01/*", "secret/data/hosts/nix-cache01/*",
] ]
} }
"vaulttest01" = {
paths = [
"secret/data/hosts/vaulttest01/*",
]
}
} }
} }
@@ -114,7 +131,7 @@ resource "vault_approle_auth_backend_role" "hosts" {
backend = vault_auth_backend.approle.path backend = vault_auth_backend.approle.path
role_name = each.key role_name = each.key
token_policies = concat( token_policies = concat(
["${each.key}-policy"], ["${each.key}-policy", "homelab-deploy"],
lookup(each.value, "extra_policies", []) lookup(each.value, "extra_policies", [])
) )

16
terraform/vault/secrets.tf
View File

@@ -92,6 +92,22 @@ locals {
auto_generate = false auto_generate = false
data = { token = var.actions_token_1 } data = { token = var.actions_token_1 }
} }
# Homelab-deploy NKeys
"shared/homelab-deploy/listener-nkey" = {
auto_generate = false
data = { nkey = var.homelab_deploy_listener_nkey }
}
"shared/homelab-deploy/test-deployer-nkey" = {
auto_generate = false
data = { nkey = var.homelab_deploy_test_deployer_nkey }
}
"shared/homelab-deploy/admin-deployer-nkey" = {
auto_generate = false
data = { nkey = var.homelab_deploy_admin_deployer_nkey }
}
} }
} }

21
terraform/vault/variables.tf
View File

@@ -52,3 +52,24 @@ variable "actions_token_1" {
sensitive = true sensitive = true
} }
variable "homelab_deploy_listener_nkey" {
description = "NKey seed for homelab-deploy listeners"
type = string
default = "PLACEHOLDER"
sensitive = true
}
variable "homelab_deploy_test_deployer_nkey" {
description = "NKey seed for test-tier deployer"
type = string
default = "PLACEHOLDER"
sensitive = true
}
variable "homelab_deploy_admin_deployer_nkey" {
description = "NKey seed for admin deployer"
type = string
default = "PLACEHOLDER"
sensitive = true
}