system: enable homelab-deploy listener for all vault hosts

Add system/homelab-deploy.nix module that automatically enables the
listener on all hosts with vault.enable=true. Uses homelab.host.tier
and homelab.host.role for NATS subject subscriptions.

- Add homelab-deploy access to all host AppRole policies
- Remove manual listener config from vaulttest01 (now handled by system module)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

hosts/vaulttest01/configuration.nix

@@ -101,28 +101,6 @@ in
     services = [ "vault-test" ];
   };
 
-  # Homelab-deploy listener NKey
-  vault.secrets.homelab-deploy-nkey = {
-    secretPath = "shared/homelab-deploy/listener-nkey";
-    extractKey = "nkey";
-  };
-
-  # Enable homelab-deploy listener
-  services.homelab-deploy.listener = {
-    enable = true;
-    tier = "test";
-    role = "vault";
-    natsUrl = "nats://nats1.home.2rjus.net:4222";
-    nkeyFile = "/run/secrets/homelab-deploy-nkey";
-    flakeUrl = "git+https://git.t-juice.club/torjus/nixos-servers.git";
-  };
-
-  # Ensure listener starts after vault secret is available
-  systemd.services.homelab-deploy-listener = {
-    after = [ "vault-secret-homelab-deploy-nkey.service" ];
-    requires = [ "vault-secret-homelab-deploy-nkey.service" ];
-  };
-
   # Create a test service that uses the secret
   systemd.services.vault-test = {
     description = "Test Vault secret fetching";

system/default.nix

@@ -3,6 +3,7 @@
   imports = [
     ./acme.nix
     ./autoupgrade.nix
+    ./homelab-deploy.nix
     ./monitoring
     ./motd.nix
     ./packages.nix

system/homelab-deploy.nix

@@ -0,0 +1,31 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.vault;
+  hostCfg = config.homelab.host;
+in
+{
+  config = lib.mkIf cfg.enable {
+    # Fetch listener NKey from Vault
+    vault.secrets.homelab-deploy-nkey = {
+      secretPath = "shared/homelab-deploy/listener-nkey";
+      extractKey = "nkey";
+    };
+
+    # Enable homelab-deploy listener
+    services.homelab-deploy.listener = {
+      enable = true;
+      tier = hostCfg.tier;
+      role = hostCfg.role;
+      natsUrl = "nats://nats1.home.2rjus.net:4222";
+      nkeyFile = "/run/secrets/homelab-deploy-nkey";
+      flakeUrl = "git+https://git.t-juice.club/torjus/nixos-servers.git";
+    };
+
+    # Ensure listener starts after vault secret is available
+    systemd.services.homelab-deploy-listener = {
+      after = [ "vault-secret-homelab-deploy-nkey.service" ];
+      requires = [ "vault-secret-homelab-deploy-nkey.service" ];
+    };
+  };
+}

terraform/vault/approle.tf

@@ -30,6 +30,7 @@ locals {
       paths = [
         "secret/data/hosts/ha1/*",
         "secret/data/shared/backup/*",
+        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
@@ -38,6 +39,7 @@ locals {
         "secret/data/hosts/monitoring01/*",
         "secret/data/shared/backup/*",
         "secret/data/shared/nats/*",
+        "secret/data/shared/homelab-deploy/*",
       ]
       extra_policies = ["prometheus-metrics"]
     }
@@ -46,18 +48,21 @@ locals {
     "nats1" = {
       paths = [
         "secret/data/hosts/nats1/*",
+        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
     "jelly01" = {
       paths = [
         "secret/data/hosts/jelly01/*",
+        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
     "pgdb1" = {
       paths = [
         "secret/data/hosts/pgdb1/*",
+        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
@@ -66,6 +71,7 @@ locals {
       paths = [
         "secret/data/hosts/ns1/*",
         "secret/data/shared/dns/*",
+        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
@@ -73,6 +79,7 @@ locals {
       paths = [
         "secret/data/hosts/ns2/*",
         "secret/data/shared/dns/*",
+        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
@@ -80,6 +87,7 @@ locals {
     "http-proxy" = {
       paths = [
         "secret/data/hosts/http-proxy/*",
+        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
@@ -87,10 +95,10 @@ locals {
     "nix-cache01" = {
       paths = [
         "secret/data/hosts/nix-cache01/*",
+        "secret/data/shared/homelab-deploy/*",
       ]
     }
 
-    # Vault test host with homelab-deploy access
     "vaulttest01" = {
       paths = [
         "secret/data/hosts/vaulttest01/*",