From c214f8543c40f1118f64ac738a2ac3d8a46a6cbd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sat, 7 Feb 2026 06:47:12 +0100
Subject: [PATCH] homelab: add deploy.enable option with assertion

- Add homelab.deploy.enable option (requires vault.enable)
- Create shared homelab-deploy Vault policy for all hosts
- Enable homelab.deploy on all vault-enabled hosts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 flake.lock                           |  8 ++++----
 hosts/ha1/configuration.nix          |  1 +
 hosts/http-proxy/configuration.nix   |  1 +
 hosts/monitoring01/configuration.nix |  1 +
 hosts/nix-cache01/configuration.nix  |  1 +
 hosts/ns1/configuration.nix          |  1 +
 hosts/ns2/configuration.nix          |  1 +
 hosts/vaulttest01/configuration.nix  |  1 +
 modules/homelab/default.nix          |  1 +
 modules/homelab/deploy.nix           | 16 ++++++++++++++++
 system/homelab-deploy.nix            |  3 +--
 terraform/vault/approle.tf           | 23 ++++++++++++-----------
 12 files changed, 41 insertions(+), 17 deletions(-)
 create mode 100644 modules/homelab/deploy.nix

diff --git a/flake.lock b/flake.lock
index 64264c2..6aed47d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -28,11 +28,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770442013,
-        "narHash": "sha256-JZbm6X0A770bb+VlbJYvRHrVqWOSsmu6Hn4B8nvsPc8=",
+        "lastModified": 1770443536,
+        "narHash": "sha256-UufZIVggiioMFDSjKx+ifgkDOk9alNSiRmkvc4/+HIA=",
         "ref": "master",
-        "rev": "71d6aa8b614f557d029bfc2e64375c812ed7bc10",
-        "revCount": 19,
+        "rev": "95b795dcfd86b7b36045bba67e536b3a1c61dd33",
+        "revCount": 20,
         "type": "git",
         "url": "https://git.t-juice.club/torjus/homelab-deploy"
       },
diff --git a/hosts/ha1/configuration.nix b/hosts/ha1/configuration.nix
index dcb8133..ce43676 100644
--- a/hosts/ha1/configuration.nix
+++ b/hosts/ha1/configuration.nix
@@ -57,6 +57,7 @@
 
   # Vault secrets management
   vault.enable = true;
+  homelab.deploy.enable = true;
   vault.secrets.backup-helper = {
     secretPath = "shared/backup/password";
     extractKey = "password";
diff --git a/hosts/http-proxy/configuration.nix b/hosts/http-proxy/configuration.nix
index ab494f1..8524075 100644
--- a/hosts/http-proxy/configuration.nix
+++ b/hosts/http-proxy/configuration.nix
@@ -61,6 +61,7 @@
     "flakes"
   ];
   vault.enable = true;
+  homelab.deploy.enable = true;
 
   nix.settings.tarball-ttl = 0;
   environment.systemPackages = with pkgs; [
diff --git a/hosts/monitoring01/configuration.nix b/hosts/monitoring01/configuration.nix
index 3a95d73..713dbf8 100644
--- a/hosts/monitoring01/configuration.nix
+++ b/hosts/monitoring01/configuration.nix
@@ -58,6 +58,7 @@
 
   # Vault secrets management
   vault.enable = true;
+  homelab.deploy.enable = true;
   vault.secrets.backup-helper = {
     secretPath = "shared/backup/password";
     extractKey = "password";
diff --git a/hosts/nix-cache01/configuration.nix b/hosts/nix-cache01/configuration.nix
index c3192a8..46dcff1 100644
--- a/hosts/nix-cache01/configuration.nix
+++ b/hosts/nix-cache01/configuration.nix
@@ -55,6 +55,7 @@
     "flakes"
   ];
   vault.enable = true;
+  homelab.deploy.enable = true;
 
   nix.settings.tarball-ttl = 0;
   environment.systemPackages = with pkgs; [
diff --git a/hosts/ns1/configuration.nix b/hosts/ns1/configuration.nix
index c5b9e88..aef3c38 100644
--- a/hosts/ns1/configuration.nix
+++ b/hosts/ns1/configuration.nix
@@ -48,6 +48,7 @@
     "flakes"
   ];
   vault.enable = true;
+  homelab.deploy.enable = true;
 
   homelab.host = {
     role = "dns";
diff --git a/hosts/ns2/configuration.nix b/hosts/ns2/configuration.nix
index c49c5e5..c1baca7 100644
--- a/hosts/ns2/configuration.nix
+++ b/hosts/ns2/configuration.nix
@@ -48,6 +48,7 @@
     "flakes"
   ];
   vault.enable = true;
+  homelab.deploy.enable = true;
 
   homelab.host = {
     role = "dns";
diff --git a/hosts/vaulttest01/configuration.nix b/hosts/vaulttest01/configuration.nix
index fd2bb57..570ca31 100644
--- a/hosts/vaulttest01/configuration.nix
+++ b/hosts/vaulttest01/configuration.nix
@@ -92,6 +92,7 @@ in
   # Testing config
   # Enable Vault secrets management
   vault.enable = true;
+  homelab.deploy.enable = true;
 
   # Define a test secret
   vault.secrets.test-service = {
diff --git a/modules/homelab/default.nix b/modules/homelab/default.nix
index a803d45..130c64b 100644
--- a/modules/homelab/default.nix
+++ b/modules/homelab/default.nix
@@ -1,6 +1,7 @@
 { ... }:
 {
   imports = [
+    ./deploy.nix
     ./dns.nix
     ./host.nix
     ./monitoring.nix
diff --git a/modules/homelab/deploy.nix b/modules/homelab/deploy.nix
new file mode 100644
index 0000000..38cae58
--- /dev/null
+++ b/modules/homelab/deploy.nix
@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+
+{
+  options.homelab.deploy = {
+    enable = lib.mkEnableOption "homelab-deploy listener for NATS-based deployments";
+  };
+
+  config = {
+    assertions = [
+      {
+        assertion = config.homelab.deploy.enable -> config.vault.enable;
+        message = "homelab.deploy.enable requires vault.enable to be true (needed for NKey secret)";
+      }
+    ];
+  };
+}
diff --git a/system/homelab-deploy.nix b/system/homelab-deploy.nix
index 05a55a8..68edc04 100644
--- a/system/homelab-deploy.nix
+++ b/system/homelab-deploy.nix
@@ -1,11 +1,10 @@
 { config, lib, ... }:
 
 let
-  cfg = config.vault;
   hostCfg = config.homelab.host;
 in
 {
-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf config.homelab.deploy.enable {
     # Fetch listener NKey from Vault
     vault.secrets.homelab-deploy-nkey = {
       secretPath = "shared/homelab-deploy/listener-nkey";
diff --git a/terraform/vault/approle.tf b/terraform/vault/approle.tf
index b1ee161..6f2fd05 100644
--- a/terraform/vault/approle.tf
+++ b/terraform/vault/approle.tf
@@ -4,6 +4,17 @@ resource "vault_auth_backend" "approle" {
   path = "approle"
 }
 
+# Shared policy for homelab-deploy (all hosts need this for NATS-based deployments)
+resource "vault_policy" "homelab_deploy" {
+  name = "homelab-deploy"
+
+  policy = <<EOT
+path "secret/data/shared/homelab-deploy/*" {
+  capabilities = ["read", "list"]
+}
+EOT
+}
+
 # Define host access policies
 locals {
   host_policies = {
@@ -30,7 +41,6 @@ locals {
       paths = [
         "secret/data/hosts/ha1/*",
         "secret/data/shared/backup/*",
-        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
@@ -39,7 +49,6 @@ locals {
         "secret/data/hosts/monitoring01/*",
         "secret/data/shared/backup/*",
         "secret/data/shared/nats/*",
-        "secret/data/shared/homelab-deploy/*",
       ]
       extra_policies = ["prometheus-metrics"]
     }
@@ -48,21 +57,18 @@ locals {
     "nats1" = {
       paths = [
         "secret/data/hosts/nats1/*",
-        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
     "jelly01" = {
       paths = [
         "secret/data/hosts/jelly01/*",
-        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
     "pgdb1" = {
       paths = [
         "secret/data/hosts/pgdb1/*",
-        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
@@ -71,7 +77,6 @@ locals {
       paths = [
         "secret/data/hosts/ns1/*",
         "secret/data/shared/dns/*",
-        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
@@ -79,7 +84,6 @@ locals {
       paths = [
         "secret/data/hosts/ns2/*",
         "secret/data/shared/dns/*",
-        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
@@ -87,7 +91,6 @@ locals {
     "http-proxy" = {
       paths = [
         "secret/data/hosts/http-proxy/*",
-        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
@@ -95,14 +98,12 @@ locals {
     "nix-cache01" = {
       paths = [
         "secret/data/hosts/nix-cache01/*",
-        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
     "vaulttest01" = {
       paths = [
         "secret/data/hosts/vaulttest01/*",
-        "secret/data/shared/homelab-deploy/*",
       ]
     }
   }
@@ -130,7 +131,7 @@ resource "vault_approle_auth_backend_role" "hosts" {
   backend   = vault_auth_backend.approle.path
   role_name = each.key
   token_policies = concat(
-    ["${each.key}-policy"],
+    ["${each.key}-policy", "homelab-deploy"],
     lookup(each.value, "extra_policies", [])
   )