homelab: add deploy.enable option with assertion

- Add homelab.deploy.enable option (requires vault.enable) - Create shared homelab-deploy Vault policy for all hosts - Enable homelab.deploy on all vault-enabled hosts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-07 06:47:12 +01:00
parent 7933127d77
commit c214f8543c
12 changed files with 41 additions and 17 deletions
--- a/modules/homelab/default.nix
+++ b/modules/homelab/default.nix
@@ -1,6 +1,7 @@
 { ... }:
 {
  imports = [
+    ./deploy.nix
    ./dns.nix
    ./host.nix
    ./monitoring.nix
--- a/modules/homelab/deploy.nix
+++ b/modules/homelab/deploy.nix
@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+
+{
+  options.homelab.deploy = {
+    enable = lib.mkEnableOption "homelab-deploy listener for NATS-based deployments";
+  };
+
+  config = {
+    assertions = [
+      {
+        assertion = config.homelab.deploy.enable -> config.vault.enable;
+        message = "homelab.deploy.enable requires vault.enable to be true (needed for NKey secret)";
+      }
+    ];
+  };
+}