torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

homelab: add deploy.enable option with assertion
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m6s
Details
Run nix flake check / flake-check (pull_request) Successful in 2m7s
Details

Browse Source 
- Add homelab.deploy.enable option (requires vault.enable)
- Create shared homelab-deploy Vault policy for all hosts
- Enable homelab.deploy on all vault-enabled hosts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-07 06:47:12 +01:00
parent 7933127d77
commit c214f8543c
12 changed files with 41 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
flake.lock generated
View File

@@ -28,11 +28,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1770442013, "lastModified": 1770443536,
"narHash": "sha256-JZbm6X0A770bb+VlbJYvRHrVqWOSsmu6Hn4B8nvsPc8=", "narHash": "sha256-UufZIVggiioMFDSjKx+ifgkDOk9alNSiRmkvc4/+HIA=",
"ref": "master", "ref": "master",
"rev": "71d6aa8b614f557d029bfc2e64375c812ed7bc10", "rev": "95b795dcfd86b7b36045bba67e536b3a1c61dd33",
"revCount": 19, "revCount": 20,
"type": "git", "type": "git",
"url": "https://git.t-juice.club/torjus/homelab-deploy" "url": "https://git.t-juice.club/torjus/homelab-deploy"
}, },

1
hosts/ha1/configuration.nix
View File

@@ -57,6 +57,7 @@
# Vault secrets management # Vault secrets management
vault.enable = true; vault.enable = true;
homelab.deploy.enable = true;
vault.secrets.backup-helper = { vault.secrets.backup-helper = {
secretPath = "shared/backup/password"; secretPath = "shared/backup/password";
extractKey = "password"; extractKey = "password";

1
hosts/http-proxy/configuration.nix
View File

@@ -61,6 +61,7 @@
"flakes" "flakes"
]; ];
vault.enable = true; vault.enable = true;
homelab.deploy.enable = true;
nix.settings.tarball-ttl = 0; nix.settings.tarball-ttl = 0;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

1
hosts/monitoring01/configuration.nix
View File

@@ -58,6 +58,7 @@
# Vault secrets management # Vault secrets management
vault.enable = true; vault.enable = true;
homelab.deploy.enable = true;
vault.secrets.backup-helper = { vault.secrets.backup-helper = {
secretPath = "shared/backup/password"; secretPath = "shared/backup/password";
extractKey = "password"; extractKey = "password";

1
hosts/nix-cache01/configuration.nix
View File

@@ -55,6 +55,7 @@
"flakes" "flakes"
]; ];
vault.enable = true; vault.enable = true;
homelab.deploy.enable = true;
nix.settings.tarball-ttl = 0; nix.settings.tarball-ttl = 0;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

1
hosts/ns1/configuration.nix
View File

@@ -48,6 +48,7 @@
"flakes" "flakes"
]; ];
vault.enable = true; vault.enable = true;
homelab.deploy.enable = true;
homelab.host = { homelab.host = {
role = "dns"; role = "dns";

1
hosts/ns2/configuration.nix
View File

@@ -48,6 +48,7 @@
"flakes" "flakes"
]; ];
vault.enable = true; vault.enable = true;
homelab.deploy.enable = true;
homelab.host = { homelab.host = {
role = "dns"; role = "dns";

1
hosts/vaulttest01/configuration.nix
View File

@@ -92,6 +92,7 @@ in
# Testing config # Testing config
# Enable Vault secrets management # Enable Vault secrets management
vault.enable = true; vault.enable = true;
homelab.deploy.enable = true;
# Define a test secret # Define a test secret
vault.secrets.test-service = { vault.secrets.test-service = {

1
modules/homelab/default.nix
View File

@@ -1,6 +1,7 @@
{ ... }: { ... }:
{ {
imports = [ imports = [
./deploy.nix
./dns.nix ./dns.nix
./host.nix ./host.nix
./monitoring.nix ./monitoring.nix

16
modules/homelab/deploy.nix Normal file
View File

@@ -0,0 +1,16 @@
{ config, lib, ... }:
{
options.homelab.deploy = {
enable = lib.mkEnableOption "homelab-deploy listener for NATS-based deployments";
};
config = {
assertions = [
{
assertion = config.homelab.deploy.enable -> config.vault.enable;
message = "homelab.deploy.enable requires vault.enable to be true (needed for NKey secret)";
}
];
};
}

3
system/homelab-deploy.nix
View File

@@ -1,11 +1,10 @@
{ config, lib, ... }: { config, lib, ... }:
let let
cfg = config.vault;
hostCfg = config.homelab.host; hostCfg = config.homelab.host;
in in
{ {
config = lib.mkIf cfg.enable { config = lib.mkIf config.homelab.deploy.enable {
# Fetch listener NKey from Vault # Fetch listener NKey from Vault
vault.secrets.homelab-deploy-nkey = { vault.secrets.homelab-deploy-nkey = {
secretPath = "shared/homelab-deploy/listener-nkey"; secretPath = "shared/homelab-deploy/listener-nkey";

23
terraform/vault/approle.tf
View File

@@ -4,6 +4,17 @@ resource "vault_auth_backend" "approle" {
path = "approle" path = "approle"
} }
# Shared policy for homelab-deploy (all hosts need this for NATS-based deployments)
resource "vault_policy" "homelab_deploy" {
name = "homelab-deploy"
policy = <<EOT
path "secret/data/shared/homelab-deploy/*" {
capabilities = ["read", "list"]
}
EOT
}
# Define host access policies # Define host access policies
locals { locals {
host_policies = { host_policies = {
@@ -30,7 +41,6 @@ locals {
paths = [ paths = [
"secret/data/hosts/ha1/*", "secret/data/hosts/ha1/*",
"secret/data/shared/backup/*", "secret/data/shared/backup/*",
"secret/data/shared/homelab-deploy/*",
] ]
} }
@@ -39,7 +49,6 @@ locals {
"secret/data/hosts/monitoring01/*", "secret/data/hosts/monitoring01/*",
"secret/data/shared/backup/*", "secret/data/shared/backup/*",
"secret/data/shared/nats/*", "secret/data/shared/nats/*",
"secret/data/shared/homelab-deploy/*",
] ]
extra_policies = ["prometheus-metrics"] extra_policies = ["prometheus-metrics"]
} }
@@ -48,21 +57,18 @@ locals {
"nats1" = { "nats1" = {
paths = [ paths = [
"secret/data/hosts/nats1/*", "secret/data/hosts/nats1/*",
"secret/data/shared/homelab-deploy/*",
] ]
} }
"jelly01" = { "jelly01" = {
paths = [ paths = [
"secret/data/hosts/jelly01/*", "secret/data/hosts/jelly01/*",
"secret/data/shared/homelab-deploy/*",
] ]
} }
"pgdb1" = { "pgdb1" = {
paths = [ paths = [
"secret/data/hosts/pgdb1/*", "secret/data/hosts/pgdb1/*",
"secret/data/shared/homelab-deploy/*",
] ]
} }
@@ -71,7 +77,6 @@ locals {
paths = [ paths = [
"secret/data/hosts/ns1/*", "secret/data/hosts/ns1/*",
"secret/data/shared/dns/*", "secret/data/shared/dns/*",
"secret/data/shared/homelab-deploy/*",
] ]
} }
@@ -79,7 +84,6 @@ locals {
paths = [ paths = [
"secret/data/hosts/ns2/*", "secret/data/hosts/ns2/*",
"secret/data/shared/dns/*", "secret/data/shared/dns/*",
"secret/data/shared/homelab-deploy/*",
] ]
} }
@@ -87,7 +91,6 @@ locals {
"http-proxy" = { "http-proxy" = {
paths = [ paths = [
"secret/data/hosts/http-proxy/*", "secret/data/hosts/http-proxy/*",
"secret/data/shared/homelab-deploy/*",
] ]
} }
@@ -95,14 +98,12 @@ locals {
"nix-cache01" = { "nix-cache01" = {
paths = [ paths = [
"secret/data/hosts/nix-cache01/*", "secret/data/hosts/nix-cache01/*",
"secret/data/shared/homelab-deploy/*",
] ]
} }
"vaulttest01" = { "vaulttest01" = {
paths = [ paths = [
"secret/data/hosts/vaulttest01/*", "secret/data/hosts/vaulttest01/*",
"secret/data/shared/homelab-deploy/*",
] ]
} }
} }
@@ -130,7 +131,7 @@ resource "vault_approle_auth_backend_role" "hosts" {
backend = vault_auth_backend.approle.path backend = vault_auth_backend.approle.path
role_name = each.key role_name = each.key
token_policies = concat( token_policies = concat(
["${each.key}-policy"], ["${each.key}-policy", "homelab-deploy"],
lookup(each.value, "extra_policies", []) lookup(each.value, "extra_policies", [])
) )