diff --git a/flake.lock b/flake.lock index 72a66d8..e5f9e99 100644 --- a/flake.lock +++ b/flake.lock @@ -21,6 +21,27 @@ "url": "https://git.t-juice.club/torjus/alerttonotify" } }, + "homelab-deploy": { + "inputs": { + "nixpkgs": [ + "nixpkgs-unstable" + ] + }, + "locked": { + "lastModified": 1770437282, + "narHash": "sha256-7C6hheIP8JUkK0Aoib/lQ4xbOaXHoqSe9SJjU2u3t/Q=", + "ref": "master", + "rev": "cf3b1ce2c9e85ad954d8c230161553c5473e9579", + "revCount": 12, + "type": "git", + "url": "https://git.t-juice.club/torjus/homelab-deploy" + }, + "original": { + "ref": "master", + "type": "git", + "url": "https://git.t-juice.club/torjus/homelab-deploy" + } + }, "labmon": { "inputs": { "nixpkgs": [ @@ -97,6 +118,7 @@ "root": { "inputs": { "alerttonotify": "alerttonotify", + "homelab-deploy": "homelab-deploy", "labmon": "labmon", "nixos-exporter": "nixos-exporter", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index ebcbd6c..ebd8aeb 100644 --- a/flake.nix +++ b/flake.nix @@ -21,6 +21,10 @@ url = "git+https://git.t-juice.club/torjus/nixos-exporter"; inputs.nixpkgs.follows = "nixpkgs-unstable"; }; + homelab-deploy = { + url = "git+https://git.t-juice.club/torjus/homelab-deploy?ref=master"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + }; }; outputs = @@ -32,6 +36,7 @@ alerttonotify, labmon, nixos-exporter, + homelab-deploy, ... }@inputs: let @@ -58,6 +63,7 @@ ) sops-nix.nixosModules.sops nixos-exporter.nixosModules.default + homelab-deploy.nixosModules.default ./modules/homelab ]; allSystems = [ diff --git a/hosts/vaulttest01/configuration.nix b/hosts/vaulttest01/configuration.nix index fd2bb57..5701ddf 100644 --- a/hosts/vaulttest01/configuration.nix +++ b/hosts/vaulttest01/configuration.nix @@ -101,6 +101,22 @@ in services = [ "vault-test" ]; }; + # Homelab-deploy listener NKey + vault.secrets.homelab-deploy-nkey = { + secretPath = "shared/homelab-deploy/listener-nkey"; + extractKey = "nkey"; + }; + + # Enable homelab-deploy listener + services.homelab-deploy.listener = { + enable = true; + tier = "test"; + role = "vault"; + natsUrl = "nats://nats1.home.2rjus.net:4222"; + nkeyFile = "/run/secrets/homelab-deploy-nkey"; + flakeUrl = "git+https://git.t-juice.club/torjus/nixos-servers.git"; + }; + # Create a test service that uses the secret systemd.services.vault-test = { description = "Test Vault secret fetching"; diff --git a/services/nats/default.nix b/services/nats/default.nix index 20b7efa..fdb7ce3 100644 --- a/services/nats/default.nix +++ b/services/nats/default.nix @@ -1,16 +1,18 @@ { ... }: { - homelab.monitoring.scrapeTargets = [{ - job_name = "nats"; - port = 7777; - }]; + homelab.monitoring.scrapeTargets = [ + { + job_name = "nats"; + port = 7777; + } + ]; services.prometheus.exporters.nats = { enable = true; url = "http://localhost:8222"; extraFlags = [ - "-varz" # General server info - "-connz" # Connection info + "-varz" # General server info + "-connz" # Connection info "-jsz=all" # JetStream info ]; }; @@ -38,6 +40,48 @@ } ]; }; + + DEPLOY = { + users = [ + # Shared listener (all hosts use this) + { + nkey = "UCCZJSUGLCSLBBKHBPL4QA66TUMQUGIXGLIFTWDEH43MGWM3LDD232X4"; + permissions = { + subscribe = [ + "deploy.test.>" + "deploy.prod.>" + "deploy.discover" + ]; + publish = [ + "deploy.responses.>" + "deploy.discover" + ]; + }; + } + # Test deployer (MCP without admin) + { + nkey = "UBR66CX2ZNY5XNVQF5VBG4WFAF54LSGUYCUNNCEYRILDQ4NXDAD2THZU"; + permissions = { + publish = [ + "deploy.test.>" + "deploy.discover" + ]; + subscribe = [ + "deploy.responses.>" + "deploy.discover" + ]; + }; + } + # Admin deployer (full access) + { + nkey = "UD2BFB7DLM67P5UUVCKBUJMCHADIZLGGVUNSRLZE2ZC66FW2XT44P73Y"; + permissions = { + publish = [ "deploy.>" ]; + subscribe = [ "deploy.>" ]; + }; + } + ]; + }; }; system_account = "ADMIN"; jetstream = { diff --git a/terraform/vault/approle.tf b/terraform/vault/approle.tf index 86269e6..f09903f 100644 --- a/terraform/vault/approle.tf +++ b/terraform/vault/approle.tf @@ -89,6 +89,14 @@ locals { "secret/data/hosts/nix-cache01/*", ] } + + # Vault test host with homelab-deploy access + "vaulttest01" = { + paths = [ + "secret/data/hosts/vaulttest01/*", + "secret/data/shared/homelab-deploy/*", + ] + } } } diff --git a/terraform/vault/secrets.tf b/terraform/vault/secrets.tf index 5db851c..bfc9bd7 100644 --- a/terraform/vault/secrets.tf +++ b/terraform/vault/secrets.tf @@ -92,6 +92,22 @@ locals { auto_generate = false data = { token = var.actions_token_1 } } + + # Homelab-deploy NKeys + "shared/homelab-deploy/listener-nkey" = { + auto_generate = false + data = { nkey = var.homelab_deploy_listener_nkey } + } + + "shared/homelab-deploy/test-deployer-nkey" = { + auto_generate = false + data = { nkey = var.homelab_deploy_test_deployer_nkey } + } + + "shared/homelab-deploy/admin-deployer-nkey" = { + auto_generate = false + data = { nkey = var.homelab_deploy_admin_deployer_nkey } + } } } diff --git a/terraform/vault/variables.tf b/terraform/vault/variables.tf index 28ba799..f53cb4f 100644 --- a/terraform/vault/variables.tf +++ b/terraform/vault/variables.tf @@ -52,3 +52,24 @@ variable "actions_token_1" { sensitive = true } +variable "homelab_deploy_listener_nkey" { + description = "NKey seed for homelab-deploy listeners" + type = string + default = "PLACEHOLDER" + sensitive = true +} + +variable "homelab_deploy_test_deployer_nkey" { + description = "NKey seed for test-tier deployer" + type = string + default = "PLACEHOLDER" + sensitive = true +} + +variable "homelab_deploy_admin_deployer_nkey" { + description = "NKey seed for admin deployer" + type = string + default = "PLACEHOLDER" + sensitive = true +} +