homelab: add deploy.enable option with assertion

- Add homelab.deploy.enable option (requires vault.enable) - Create shared homelab-deploy Vault policy for all hosts - Enable homelab.deploy on all vault-enabled hosts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-07 06:47:12 +01:00
parent e4eb8afe5c
commit db6d610e16
11 changed files with 37 additions and 13 deletions
--- a/hosts/ha1/configuration.nix
+++ b/hosts/ha1/configuration.nix
@@ -57,6 +57,7 @@
  # Vault secrets management
  vault.enable = true;
  homelab.deploy.enable = true;
  vault.secrets.backup-helper = {
    secretPath = "shared/backup/password";
    extractKey = "password";
--- a/hosts/http-proxy/configuration.nix
+++ b/hosts/http-proxy/configuration.nix
@@ -61,6 +61,7 @@
    "flakes"
  ];
  vault.enable = true;
  homelab.deploy.enable = true;
  nix.settings.tarball-ttl = 0;
  environment.systemPackages = with pkgs; [
--- a/hosts/monitoring01/configuration.nix
+++ b/hosts/monitoring01/configuration.nix
@@ -58,6 +58,7 @@
  # Vault secrets management
  vault.enable = true;
  homelab.deploy.enable = true;
  vault.secrets.backup-helper = {
    secretPath = "shared/backup/password";
    extractKey = "password";
--- a/hosts/nix-cache01/configuration.nix
+++ b/hosts/nix-cache01/configuration.nix
@@ -55,6 +55,7 @@
    "flakes"
  ];
  vault.enable = true;
  homelab.deploy.enable = true;
  nix.settings.tarball-ttl = 0;
  environment.systemPackages = with pkgs; [
--- a/hosts/ns1/configuration.nix
+++ b/hosts/ns1/configuration.nix
@@ -48,6 +48,7 @@
    "flakes"
  ];
  vault.enable = true;
  homelab.deploy.enable = true;
  homelab.host = {
    role = "dns";
--- a/hosts/ns2/configuration.nix
+++ b/hosts/ns2/configuration.nix
@@ -48,6 +48,7 @@
    "flakes"
  ];
  vault.enable = true;
  homelab.deploy.enable = true;
  homelab.host = {
    role = "dns";
--- a/hosts/vaulttest01/configuration.nix
+++ b/hosts/vaulttest01/configuration.nix
@@ -92,6 +92,7 @@ in
  # Testing config
  # Enable Vault secrets management
  vault.enable = true;
  homelab.deploy.enable = true;
  # Define a test secret
  vault.secrets.test-service = {
--- a/modules/homelab/default.nix
+++ b/modules/homelab/default.nix
@@ -1,6 +1,7 @@
 { ... }:
 {
  imports = [
    ./deploy.nix
    ./dns.nix
    ./host.nix
    ./monitoring.nix
--- a/modules/homelab/deploy.nix
+++ b/modules/homelab/deploy.nix
@@ -0,0 +1,16 @@
 { config, lib, ... }:
 {
  options.homelab.deploy = {
    enable = lib.mkEnableOption "homelab-deploy listener for NATS-based deployments";
  };
  config = {
    assertions = [
      {
        assertion = config.homelab.deploy.enable -> config.vault.enable;
        message = "homelab.deploy.enable requires vault.enable to be true (needed for NKey secret)";
      }
    ];
  };
 }
--- a/system/homelab-deploy.nix
+++ b/system/homelab-deploy.nix
@@ -1,11 +1,10 @@
 { config, lib, ... }:
 let
  cfg = config.vault;
  hostCfg = config.homelab.host;
 in
 {
-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf config.homelab.deploy.enable {
    # Fetch listener NKey from Vault
    vault.secrets.homelab-deploy-nkey = {
      secretPath = "shared/homelab-deploy/listener-nkey";
--- a/terraform/vault/approle.tf
+++ b/terraform/vault/approle.tf
@@ -4,6 +4,17 @@ resource "vault_auth_backend" "approle" {
  path = "approle"
 }
 # Shared policy for homelab-deploy (all hosts need this for NATS-based deployments)
 resource "vault_policy" "homelab_deploy" {
  name = "homelab-deploy"
  policy = <<EOT
 path "secret/data/shared/homelab-deploy/*" {
  capabilities = ["read", "list"]
 }
 EOT
 }
 # Define host access policies
 locals {
  host_policies = {
@@ -30,7 +41,6 @@ locals {
      paths = [
        "secret/data/hosts/ha1/*",
        "secret/data/shared/backup/*",
        "secret/data/shared/homelab-deploy/*",
      ]
    }
@@ -39,7 +49,6 @@ locals {
        "secret/data/hosts/monitoring01/*",
        "secret/data/shared/backup/*",
        "secret/data/shared/nats/*",
        "secret/data/shared/homelab-deploy/*",
      ]
      extra_policies = ["prometheus-metrics"]
    }
@@ -48,21 +57,18 @@ locals {
    "nats1" = {
      paths = [
        "secret/data/hosts/nats1/*",
        "secret/data/shared/homelab-deploy/*",
      ]
    }
    "jelly01" = {
      paths = [
        "secret/data/hosts/jelly01/*",
        "secret/data/shared/homelab-deploy/*",
      ]
    }
    "pgdb1" = {
      paths = [
        "secret/data/hosts/pgdb1/*",
        "secret/data/shared/homelab-deploy/*",
      ]
    }
@@ -71,7 +77,6 @@ locals {
      paths = [
        "secret/data/hosts/ns1/*",
        "secret/data/shared/dns/*",
        "secret/data/shared/homelab-deploy/*",
      ]
    }
@@ -79,7 +84,6 @@ locals {
      paths = [
        "secret/data/hosts/ns2/*",
        "secret/data/shared/dns/*",
        "secret/data/shared/homelab-deploy/*",
      ]
    }
@@ -87,7 +91,6 @@ locals {
    "http-proxy" = {
      paths = [
        "secret/data/hosts/http-proxy/*",
        "secret/data/shared/homelab-deploy/*",
      ]
    }
@@ -95,14 +98,12 @@ locals {
    "nix-cache01" = {
      paths = [
        "secret/data/hosts/nix-cache01/*",
        "secret/data/shared/homelab-deploy/*",
      ]
    }
    "vaulttest01" = {
      paths = [
        "secret/data/hosts/vaulttest01/*",
        "secret/data/shared/homelab-deploy/*",
      ]
    }
  }
@@ -130,7 +131,7 @@ resource "vault_approle_auth_backend_role" "hosts" {
  backend   = vault_auth_backend.approle.path
  role_name = each.key
  token_policies = concat(
-    ["${each.key}-policy"],
+    ["${each.key}-policy", "homelab-deploy"],
    lookup(each.value, "extra_policies", [])
  )