diff --git a/hosts/vaulttest01/configuration.nix b/hosts/vaulttest01/configuration.nix index 4270abf..fd2bb57 100644 --- a/hosts/vaulttest01/configuration.nix +++ b/hosts/vaulttest01/configuration.nix @@ -101,28 +101,6 @@ in services = [ "vault-test" ]; }; - # Homelab-deploy listener NKey - vault.secrets.homelab-deploy-nkey = { - secretPath = "shared/homelab-deploy/listener-nkey"; - extractKey = "nkey"; - }; - - # Enable homelab-deploy listener - services.homelab-deploy.listener = { - enable = true; - tier = "test"; - role = "vault"; - natsUrl = "nats://nats1.home.2rjus.net:4222"; - nkeyFile = "/run/secrets/homelab-deploy-nkey"; - flakeUrl = "git+https://git.t-juice.club/torjus/nixos-servers.git"; - }; - - # Ensure listener starts after vault secret is available - systemd.services.homelab-deploy-listener = { - after = [ "vault-secret-homelab-deploy-nkey.service" ]; - requires = [ "vault-secret-homelab-deploy-nkey.service" ]; - }; - # Create a test service that uses the secret systemd.services.vault-test = { description = "Test Vault secret fetching"; diff --git a/system/default.nix b/system/default.nix index 7e3c80f..a4d9949 100644 --- a/system/default.nix +++ b/system/default.nix @@ -3,6 +3,7 @@ imports = [ ./acme.nix ./autoupgrade.nix + ./homelab-deploy.nix ./monitoring ./motd.nix ./packages.nix diff --git a/system/homelab-deploy.nix b/system/homelab-deploy.nix new file mode 100644 index 0000000..05a55a8 --- /dev/null +++ b/system/homelab-deploy.nix @@ -0,0 +1,31 @@ +{ config, lib, ... }: + +let + cfg = config.vault; + hostCfg = config.homelab.host; +in +{ + config = lib.mkIf cfg.enable { + # Fetch listener NKey from Vault + vault.secrets.homelab-deploy-nkey = { + secretPath = "shared/homelab-deploy/listener-nkey"; + extractKey = "nkey"; + }; + + # Enable homelab-deploy listener + services.homelab-deploy.listener = { + enable = true; + tier = hostCfg.tier; + role = hostCfg.role; + natsUrl = "nats://nats1.home.2rjus.net:4222"; + nkeyFile = "/run/secrets/homelab-deploy-nkey"; + flakeUrl = "git+https://git.t-juice.club/torjus/nixos-servers.git"; + }; + + # Ensure listener starts after vault secret is available + systemd.services.homelab-deploy-listener = { + after = [ "vault-secret-homelab-deploy-nkey.service" ]; + requires = [ "vault-secret-homelab-deploy-nkey.service" ]; + }; + }; +} diff --git a/terraform/vault/approle.tf b/terraform/vault/approle.tf index f09903f..b1ee161 100644 --- a/terraform/vault/approle.tf +++ b/terraform/vault/approle.tf @@ -30,6 +30,7 @@ locals { paths = [ "secret/data/hosts/ha1/*", "secret/data/shared/backup/*", + "secret/data/shared/homelab-deploy/*", ] } @@ -38,6 +39,7 @@ locals { "secret/data/hosts/monitoring01/*", "secret/data/shared/backup/*", "secret/data/shared/nats/*", + "secret/data/shared/homelab-deploy/*", ] extra_policies = ["prometheus-metrics"] } @@ -46,18 +48,21 @@ locals { "nats1" = { paths = [ "secret/data/hosts/nats1/*", + "secret/data/shared/homelab-deploy/*", ] } "jelly01" = { paths = [ "secret/data/hosts/jelly01/*", + "secret/data/shared/homelab-deploy/*", ] } "pgdb1" = { paths = [ "secret/data/hosts/pgdb1/*", + "secret/data/shared/homelab-deploy/*", ] } @@ -66,6 +71,7 @@ locals { paths = [ "secret/data/hosts/ns1/*", "secret/data/shared/dns/*", + "secret/data/shared/homelab-deploy/*", ] } @@ -73,6 +79,7 @@ locals { paths = [ "secret/data/hosts/ns2/*", "secret/data/shared/dns/*", + "secret/data/shared/homelab-deploy/*", ] } @@ -80,6 +87,7 @@ locals { "http-proxy" = { paths = [ "secret/data/hosts/http-proxy/*", + "secret/data/shared/homelab-deploy/*", ] } @@ -87,10 +95,10 @@ locals { "nix-cache01" = { paths = [ "secret/data/hosts/nix-cache01/*", + "secret/data/shared/homelab-deploy/*", ] } - # Vault test host with homelab-deploy access "vaulttest01" = { paths = [ "secret/data/hosts/vaulttest01/*",