torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

homelab-deploy: add NATS-based deployment system
Some checks failed
Run nix flake check / flake-check (push) Failing after 3m45s
Details

Browse Source 
Add homelab-deploy flake input and NixOS module for message-based
deployments across the fleet. Configure DEPLOY account in NATS with
tiered access control (listener, test-deployer, admin-deployer).
Enable listener on vaulttest01 as initial test host.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-07 05:22:06 +01:00
parent 2f195d26d3
commit ad8570f8db
7 changed files with 139 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
services/nats/default.nix
View File

@@ -1,16 +1,18 @@
{ ... }:
{
homelab.monitoring.scrapeTargets = [{
job_name = "nats";
port = 7777;
}];
homelab.monitoring.scrapeTargets = [
{
job_name = "nats";
port = 7777;
}
];
services.prometheus.exporters.nats = {
enable = true;
url = "http://localhost:8222";
extraFlags = [
"-varz" # General server info
"-connz" # Connection info
"-varz" # General server info
"-connz" # Connection info
"-jsz=all" # JetStream info
];
};
@@ -38,6 +40,48 @@
}
];
};
DEPLOY = {
users = [
# Shared listener (all hosts use this)
{
nkey = "UCCZJSUGLCSLBBKHBPL4QA66TUMQUGIXGLIFTWDEH43MGWM3LDD232X4";
permissions = {
subscribe = [
"deploy.test.>"
"deploy.prod.>"
"deploy.discover"
];
publish = [
"deploy.responses.>"
"deploy.discover"
];
};
}
# Test deployer (MCP without admin)
{
nkey = "UBR66CX2ZNY5XNVQF5VBG4WFAF54LSGUYCUNNCEYRILDQ4NXDAD2THZU";
permissions = {
publish = [
"deploy.test.>"
"deploy.discover"
];
subscribe = [
"deploy.responses.>"
"deploy.discover"
];
};
}
# Admin deployer (full access)
{
nkey = "UD2BFB7DLM67P5UUVCKBUJMCHADIZLGGVUNSRLZE2ZC66FW2XT44P73Y";
permissions = {
publish = [ "deploy.>" ];
subscribe = [ "deploy.>" ];
};
}
];
};
};
system_account = "ADMIN";
jetstream = {