homelab-deploy: add NATS-based deployment system
Some checks failed
Run nix flake check / flake-check (push) Failing after 3m45s
Some checks failed
Run nix flake check / flake-check (push) Failing after 3m45s
Add homelab-deploy flake input and NixOS module for message-based deployments across the fleet. Configure DEPLOY account in NATS with tiered access control (listener, test-deployer, admin-deployer). Enable listener on vaulttest01 as initial test host. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
22
flake.lock
generated
22
flake.lock
generated
@@ -21,6 +21,27 @@
|
|||||||
"url": "https://git.t-juice.club/torjus/alerttonotify"
|
"url": "https://git.t-juice.club/torjus/alerttonotify"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"homelab-deploy": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs-unstable"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1770437282,
|
||||||
|
"narHash": "sha256-7C6hheIP8JUkK0Aoib/lQ4xbOaXHoqSe9SJjU2u3t/Q=",
|
||||||
|
"ref": "master",
|
||||||
|
"rev": "cf3b1ce2c9e85ad954d8c230161553c5473e9579",
|
||||||
|
"revCount": 12,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.t-juice.club/torjus/homelab-deploy"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"ref": "master",
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.t-juice.club/torjus/homelab-deploy"
|
||||||
|
}
|
||||||
|
},
|
||||||
"labmon": {
|
"labmon": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
@@ -97,6 +118,7 @@
|
|||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"alerttonotify": "alerttonotify",
|
"alerttonotify": "alerttonotify",
|
||||||
|
"homelab-deploy": "homelab-deploy",
|
||||||
"labmon": "labmon",
|
"labmon": "labmon",
|
||||||
"nixos-exporter": "nixos-exporter",
|
"nixos-exporter": "nixos-exporter",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
|
|||||||
@@ -21,6 +21,10 @@
|
|||||||
url = "git+https://git.t-juice.club/torjus/nixos-exporter";
|
url = "git+https://git.t-juice.club/torjus/nixos-exporter";
|
||||||
inputs.nixpkgs.follows = "nixpkgs-unstable";
|
inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||||
};
|
};
|
||||||
|
homelab-deploy = {
|
||||||
|
url = "git+https://git.t-juice.club/torjus/homelab-deploy?ref=master";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs =
|
outputs =
|
||||||
@@ -32,6 +36,7 @@
|
|||||||
alerttonotify,
|
alerttonotify,
|
||||||
labmon,
|
labmon,
|
||||||
nixos-exporter,
|
nixos-exporter,
|
||||||
|
homelab-deploy,
|
||||||
...
|
...
|
||||||
}@inputs:
|
}@inputs:
|
||||||
let
|
let
|
||||||
@@ -58,6 +63,7 @@
|
|||||||
)
|
)
|
||||||
sops-nix.nixosModules.sops
|
sops-nix.nixosModules.sops
|
||||||
nixos-exporter.nixosModules.default
|
nixos-exporter.nixosModules.default
|
||||||
|
homelab-deploy.nixosModules.default
|
||||||
./modules/homelab
|
./modules/homelab
|
||||||
];
|
];
|
||||||
allSystems = [
|
allSystems = [
|
||||||
|
|||||||
@@ -101,6 +101,22 @@ in
|
|||||||
services = [ "vault-test" ];
|
services = [ "vault-test" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Homelab-deploy listener NKey
|
||||||
|
vault.secrets.homelab-deploy-nkey = {
|
||||||
|
secretPath = "shared/homelab-deploy/listener-nkey";
|
||||||
|
extractKey = "nkey";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Enable homelab-deploy listener
|
||||||
|
services.homelab-deploy.listener = {
|
||||||
|
enable = true;
|
||||||
|
tier = "test";
|
||||||
|
role = "vault";
|
||||||
|
natsUrl = "nats://nats1.home.2rjus.net:4222";
|
||||||
|
nkeyFile = "/run/secrets/homelab-deploy-nkey";
|
||||||
|
flakeUrl = "git+https://git.t-juice.club/torjus/nixos-servers.git";
|
||||||
|
};
|
||||||
|
|
||||||
# Create a test service that uses the secret
|
# Create a test service that uses the secret
|
||||||
systemd.services.vault-test = {
|
systemd.services.vault-test = {
|
||||||
description = "Test Vault secret fetching";
|
description = "Test Vault secret fetching";
|
||||||
|
|||||||
@@ -1,9 +1,11 @@
|
|||||||
{ ... }:
|
{ ... }:
|
||||||
{
|
{
|
||||||
homelab.monitoring.scrapeTargets = [{
|
homelab.monitoring.scrapeTargets = [
|
||||||
|
{
|
||||||
job_name = "nats";
|
job_name = "nats";
|
||||||
port = 7777;
|
port = 7777;
|
||||||
}];
|
}
|
||||||
|
];
|
||||||
|
|
||||||
services.prometheus.exporters.nats = {
|
services.prometheus.exporters.nats = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@@ -38,6 +40,48 @@
|
|||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
DEPLOY = {
|
||||||
|
users = [
|
||||||
|
# Shared listener (all hosts use this)
|
||||||
|
{
|
||||||
|
nkey = "UCCZJSUGLCSLBBKHBPL4QA66TUMQUGIXGLIFTWDEH43MGWM3LDD232X4";
|
||||||
|
permissions = {
|
||||||
|
subscribe = [
|
||||||
|
"deploy.test.>"
|
||||||
|
"deploy.prod.>"
|
||||||
|
"deploy.discover"
|
||||||
|
];
|
||||||
|
publish = [
|
||||||
|
"deploy.responses.>"
|
||||||
|
"deploy.discover"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
# Test deployer (MCP without admin)
|
||||||
|
{
|
||||||
|
nkey = "UBR66CX2ZNY5XNVQF5VBG4WFAF54LSGUYCUNNCEYRILDQ4NXDAD2THZU";
|
||||||
|
permissions = {
|
||||||
|
publish = [
|
||||||
|
"deploy.test.>"
|
||||||
|
"deploy.discover"
|
||||||
|
];
|
||||||
|
subscribe = [
|
||||||
|
"deploy.responses.>"
|
||||||
|
"deploy.discover"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
# Admin deployer (full access)
|
||||||
|
{
|
||||||
|
nkey = "UD2BFB7DLM67P5UUVCKBUJMCHADIZLGGVUNSRLZE2ZC66FW2XT44P73Y";
|
||||||
|
permissions = {
|
||||||
|
publish = [ "deploy.>" ];
|
||||||
|
subscribe = [ "deploy.>" ];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
system_account = "ADMIN";
|
system_account = "ADMIN";
|
||||||
jetstream = {
|
jetstream = {
|
||||||
|
|||||||
@@ -89,6 +89,14 @@ locals {
|
|||||||
"secret/data/hosts/nix-cache01/*",
|
"secret/data/hosts/nix-cache01/*",
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Vault test host with homelab-deploy access
|
||||||
|
"vaulttest01" = {
|
||||||
|
paths = [
|
||||||
|
"secret/data/hosts/vaulttest01/*",
|
||||||
|
"secret/data/shared/homelab-deploy/*",
|
||||||
|
]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -92,6 +92,22 @@ locals {
|
|||||||
auto_generate = false
|
auto_generate = false
|
||||||
data = { token = var.actions_token_1 }
|
data = { token = var.actions_token_1 }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Homelab-deploy NKeys
|
||||||
|
"shared/homelab-deploy/listener-nkey" = {
|
||||||
|
auto_generate = false
|
||||||
|
data = { nkey = var.homelab_deploy_listener_nkey }
|
||||||
|
}
|
||||||
|
|
||||||
|
"shared/homelab-deploy/test-deployer-nkey" = {
|
||||||
|
auto_generate = false
|
||||||
|
data = { nkey = var.homelab_deploy_test_deployer_nkey }
|
||||||
|
}
|
||||||
|
|
||||||
|
"shared/homelab-deploy/admin-deployer-nkey" = {
|
||||||
|
auto_generate = false
|
||||||
|
data = { nkey = var.homelab_deploy_admin_deployer_nkey }
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -52,3 +52,24 @@ variable "actions_token_1" {
|
|||||||
sensitive = true
|
sensitive = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "homelab_deploy_listener_nkey" {
|
||||||
|
description = "NKey seed for homelab-deploy listeners"
|
||||||
|
type = string
|
||||||
|
default = "PLACEHOLDER"
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "homelab_deploy_test_deployer_nkey" {
|
||||||
|
description = "NKey seed for test-tier deployer"
|
||||||
|
type = string
|
||||||
|
default = "PLACEHOLDER"
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "homelab_deploy_admin_deployer_nkey" {
|
||||||
|
description = "NKey seed for admin deployer"
|
||||||
|
type = string
|
||||||
|
default = "PLACEHOLDER"
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user