torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Merge pull request 'add-deploy-homelab' (#28) from add-deploy-homelab into master
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m9s
Details

Browse Source 
Reviewed-on: #28
This commit was merged in pull request #28.
This commit is contained in:
Torjus Håkestad
2026-02-07 05:56:51 +00:00
parent 2f195d26d3 c214f8543c
commit 6e93b8eae3
17 changed files with 193 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
flake.lock generated
View File

@@ -21,6 +21,27 @@
"url": "https://git.t-juice.club/torjus/alerttonotify"
}
},
"homelab-deploy": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1770443536,
"narHash": "sha256-UufZIVggiioMFDSjKx+ifgkDOk9alNSiRmkvc4/+HIA=",
"ref": "master",
"rev": "95b795dcfd86b7b36045bba67e536b3a1c61dd33",
"revCount": 20,
"type": "git",
"url": "https://git.t-juice.club/torjus/homelab-deploy"
},
"original": {
"ref": "master",
"type": "git",
"url": "https://git.t-juice.club/torjus/homelab-deploy"
}
},
"labmon": {
"inputs": {
"nixpkgs": [
@@ -97,6 +118,7 @@
"root": {
"inputs": {
"alerttonotify": "alerttonotify",
"homelab-deploy": "homelab-deploy",
"labmon": "labmon",
"nixos-exporter": "nixos-exporter",
"nixpkgs": "nixpkgs",

15
flake.nix
View File

@@ -21,6 +21,10 @@
url = "git+https://git.t-juice.club/torjus/nixos-exporter";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
homelab-deploy = {
url = "git+https://git.t-juice.club/torjus/homelab-deploy?ref=master";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
};
outputs =
@@ -32,6 +36,7 @@
alerttonotify,
labmon,
nixos-exporter,
homelab-deploy,
...
}@inputs:
let
@@ -58,6 +63,7 @@
)
sops-nix.nixosModules.sops
nixos-exporter.nixosModules.default
homelab-deploy.nixosModules.default
./modules/homelab
];
allSystems = [
@@ -219,11 +225,12 @@
{ pkgs }:
{
default = pkgs.mkShell {
packages = with pkgs; [
ansible
opentofu
openbao
packages = [
pkgs.ansible
pkgs.opentofu
pkgs.openbao
(pkgs.callPackage ./scripts/create-host { })
homelab-deploy.packages.${pkgs.system}.default
];
};
}

1
hosts/ha1/configuration.nix
View File

@@ -57,6 +57,7 @@
# Vault secrets management
vault.enable = true;
homelab.deploy.enable = true;
vault.secrets.backup-helper = {
secretPath = "shared/backup/password";
extractKey = "password";

1
hosts/http-proxy/configuration.nix
View File

@@ -61,6 +61,7 @@
"flakes"
];
vault.enable = true;
homelab.deploy.enable = true;
nix.settings.tarball-ttl = 0;
environment.systemPackages = with pkgs; [

1
hosts/monitoring01/configuration.nix
View File

@@ -58,6 +58,7 @@
# Vault secrets management
vault.enable = true;
homelab.deploy.enable = true;
vault.secrets.backup-helper = {
secretPath = "shared/backup/password";
extractKey = "password";

1
hosts/nix-cache01/configuration.nix
View File

@@ -55,6 +55,7 @@
"flakes"
];
vault.enable = true;
homelab.deploy.enable = true;
nix.settings.tarball-ttl = 0;
environment.systemPackages = with pkgs; [

1
hosts/ns1/configuration.nix
View File

@@ -48,6 +48,7 @@
"flakes"
];
vault.enable = true;
homelab.deploy.enable = true;
homelab.host = {
role = "dns";

1
hosts/ns2/configuration.nix
View File

@@ -48,6 +48,7 @@
"flakes"
];
vault.enable = true;
homelab.deploy.enable = true;
homelab.host = {
role = "dns";

1
hosts/vaulttest01/configuration.nix
View File

@@ -92,6 +92,7 @@ in
# Testing config
# Enable Vault secrets management
vault.enable = true;
homelab.deploy.enable = true;
# Define a test secret
vault.secrets.test-service = {

1
modules/homelab/default.nix
View File

@@ -1,6 +1,7 @@
{ ... }:
{
imports = [
./deploy.nix
./dns.nix
./host.nix
./monitoring.nix

16
modules/homelab/deploy.nix Normal file
View File

@@ -0,0 +1,16 @@
{ config, lib, ... }:
{
options.homelab.deploy = {
enable = lib.mkEnableOption "homelab-deploy listener for NATS-based deployments";
};
config = {
assertions = [
{
assertion = config.homelab.deploy.enable -> config.vault.enable;
message = "homelab.deploy.enable requires vault.enable to be true (needed for NKey secret)";
}
];
};
}

48
services/nats/default.nix
View File

@@ -1,9 +1,11 @@
{ ... }:
{
homelab.monitoring.scrapeTargets = [{
homelab.monitoring.scrapeTargets = [
{
job_name = "nats";
port = 7777;
}];
}
];
services.prometheus.exporters.nats = {
enable = true;
@@ -38,6 +40,48 @@
}
];
};
DEPLOY = {
users = [
# Shared listener (all hosts use this)
{
nkey = "UCCZJSUGLCSLBBKHBPL4QA66TUMQUGIXGLIFTWDEH43MGWM3LDD232X4";
permissions = {
subscribe = [
"deploy.test.>"
"deploy.prod.>"
"deploy.discover"
];
publish = [
"deploy.responses.>"
"deploy.discover"
];
};
}
# Test deployer (MCP without admin)
{
nkey = "UBR66CX2ZNY5XNVQF5VBG4WFAF54LSGUYCUNNCEYRILDQ4NXDAD2THZU";
permissions = {
publish = [
"deploy.test.>"
"deploy.discover"
];
subscribe = [
"deploy.responses.>"
"deploy.discover"
];
};
}
# Admin deployer (full access)
{
nkey = "UD2BFB7DLM67P5UUVCKBUJMCHADIZLGGVUNSRLZE2ZC66FW2XT44P73Y";
permissions = {
publish = [ "deploy.>" ];
subscribe = [ "deploy.>" ];
};
}
];
};
};
system_account = "ADMIN";
jetstream = {

1
system/default.nix
View File

@@ -3,6 +3,7 @@
imports = [
./acme.nix
./autoupgrade.nix
./homelab-deploy.nix
./monitoring
./motd.nix
./packages.nix

30
system/homelab-deploy.nix Normal file
View File

@@ -0,0 +1,30 @@
{ config, lib, ... }:
let
hostCfg = config.homelab.host;
in
{
config = lib.mkIf config.homelab.deploy.enable {
# Fetch listener NKey from Vault
vault.secrets.homelab-deploy-nkey = {
secretPath = "shared/homelab-deploy/listener-nkey";
extractKey = "nkey";
};
# Enable homelab-deploy listener
services.homelab-deploy.listener = {
enable = true;
tier = hostCfg.tier;
role = hostCfg.role;
natsUrl = "nats://nats1.home.2rjus.net:4222";
nkeyFile = "/run/secrets/homelab-deploy-nkey";
flakeUrl = "git+https://git.t-juice.club/torjus/nixos-servers.git";
};
# Ensure listener starts after vault secret is available
systemd.services.homelab-deploy-listener = {
after = [ "vault-secret-homelab-deploy-nkey.service" ];
requires = [ "vault-secret-homelab-deploy-nkey.service" ];
};
};
}

19
terraform/vault/approle.tf
View File

@@ -4,6 +4,17 @@ resource "vault_auth_backend" "approle" {
path = "approle"
}
# Shared policy for homelab-deploy (all hosts need this for NATS-based deployments)
resource "vault_policy" "homelab_deploy" {
name = "homelab-deploy"
policy = <<EOT
path "secret/data/shared/homelab-deploy/*" {
capabilities = ["read", "list"]
}
EOT
}
# Define host access policies
locals {
host_policies = {
@@ -89,6 +100,12 @@ locals {
"secret/data/hosts/nix-cache01/*",
]
}
"vaulttest01" = {
paths = [
"secret/data/hosts/vaulttest01/*",
]
}
}
}
@@ -114,7 +131,7 @@ resource "vault_approle_auth_backend_role" "hosts" {
backend = vault_auth_backend.approle.path
role_name = each.key
token_policies = concat(
["${each.key}-policy"],
["${each.key}-policy", "homelab-deploy"],
lookup(each.value, "extra_policies", [])
)

16
terraform/vault/secrets.tf
View File

@@ -92,6 +92,22 @@ locals {
auto_generate = false
data = { token = var.actions_token_1 }
}
# Homelab-deploy NKeys
"shared/homelab-deploy/listener-nkey" = {
auto_generate = false
data = { nkey = var.homelab_deploy_listener_nkey }
}
"shared/homelab-deploy/test-deployer-nkey" = {
auto_generate = false
data = { nkey = var.homelab_deploy_test_deployer_nkey }
}
"shared/homelab-deploy/admin-deployer-nkey" = {
auto_generate = false
data = { nkey = var.homelab_deploy_admin_deployer_nkey }
}
}
}

21
terraform/vault/variables.tf
View File

@@ -52,3 +52,24 @@ variable "actions_token_1" {
sensitive = true
}
variable "homelab_deploy_listener_nkey" {
description = "NKey seed for homelab-deploy listeners"
type = string
default = "PLACEHOLDER"
sensitive = true
}
variable "homelab_deploy_test_deployer_nkey" {
description = "NKey seed for test-tier deployer"
type = string
default = "PLACEHOLDER"
sensitive = true
}
variable "homelab_deploy_admin_deployer_nkey" {
description = "NKey seed for admin deployer"
type = string
default = "PLACEHOLDER"
sensitive = true
}