terraform: add Vault secret for garage01 environment

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

flake.nix

@@ -200,6 +200,15 @@
             ./hosts/nix-cache02
           ];
         };
+        garage01 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self;
+          };
+          modules = commonModules ++ [
+            ./hosts/garage01
+          ];
+        };
       };
       packages = forAllSystems (
         { pkgs }:

hosts/garage01/configuration.nix

@@ -0,0 +1,75 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template2/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  # Host metadata (adjust as needed)
+  homelab.host = {
+    tier = "test";  # Start in test tier, move to prod after validation
+    role = "storage";
+  };
+
+  homelab.dns.cnames = [ "s3" ];
+
+  # Enable Vault integration
+  vault.enable = true;
+
+  # Enable remote deployment via NATS
+  homelab.deploy.enable = true;
+
+  nixpkgs.config.allowUnfree = true;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+
+  networking.hostName = "garage01";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.26/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "25.11"; # Did you read the comment?
+}

hosts/garage01/default.nix

@@ -0,0 +1,6 @@
+{ ... }: {
+  imports = [
+    ./configuration.nix
+    ../../services/garage
+  ];
+}

services/garage/default.nix

@@ -0,0 +1,61 @@
+{ config, pkgs, ... }:
+{
+  homelab.monitoring.scrapeTargets = [
+    {
+      job_name = "garage";
+      port = 3903;
+      metrics_path = "/metrics";
+    }
+    {
+      job_name = "caddy";
+      port = 9117;
+    }
+  ];
+
+  vault.secrets.garage-env = {
+    secretPath = "hosts/${config.networking.hostName}/garage";
+    extractKey = "env";
+    outputDir = "/run/secrets/garage-env";
+    services = [ "garage" ];
+  };
+
+  services.garage = {
+    enable = true;
+    package = pkgs.garage;
+    environmentFile = "/run/secrets/garage-env";
+    settings = {
+      metadata_dir = "/var/lib/garage/meta";
+      data_dir = "/var/lib/garage/data";
+      replication_factor = 1;
+      rpc_bind_addr = "[::]:3901";
+      rpc_public_addr = "garage01.home.2rjus.net:3901";
+      s3_api = {
+        api_bind_addr = "[::]:3900";
+        s3_region = "garage";
+        root_domain = ".s3.home.2rjus.net";
+      };
+      admin = {
+        api_bind_addr = "[::]:3903";
+      };
+    };
+  };
+
+  services.caddy = {
+    enable = true;
+    package = pkgs.unstable.caddy;
+    configFile = pkgs.writeText "Caddyfile" ''
+      {
+        acme_ca https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
+        metrics
+      }
+
+      s3.home.2rjus.net {
+        reverse_proxy http://localhost:3900
+      }
+
+      http://garage01.home.2rjus.net:9117/metrics {
+        metrics
+      }
+    '';
+  };
+}

terraform/vault/hosts-generated.tf

@@ -39,6 +39,11 @@ locals {
         "secret/data/shared/homelab-deploy/*",
       ]
     }
+    "garage01" = {
+      paths = [
+        "secret/data/hosts/garage01/*",
+      ]
+    }
   
   }
 

terraform/vault/secrets.tf

@@ -107,6 +107,12 @@ locals {
       data          = { nkey = var.homelab_deploy_scheduler_nkey }
     }
 
+    # Garage S3 environment (RPC secret + admin token)
+    "hosts/garage01/garage" = {
+      auto_generate = false
+      data          = { env = var.garage_env }
+    }
+
     # Kanidm idm_admin password
     "kanidm/idm-admin-password" = {
       auto_generate   = true

terraform/vault/variables.tf

@@ -88,6 +88,13 @@ variable "nixos_exporter_nkey" {
   sensitive   = true
 }
 
+variable "garage_env" {
+  description = "Garage environment file contents (GARAGE_RPC_SECRET and GARAGE_ADMIN_TOKEN)"
+  type        = string
+  default     = "PLACEHOLDER"
+  sensitive   = true
+}
+
 variable "radarr_api_key" {
   description = "Radarr API key for exportarr metrics"
   type        = string

terraform/vms.tf

@@ -93,6 +93,13 @@ locals {
       disk_size = "200G"
       vault_wrapped_token = "s.C5EuHFyULACEqZgsLqMC3cJB"
     }
+    "garage01" = {
+      ip        = "10.69.13.26/24"
+      cpu_cores = 2
+      memory    = 2048
+      disk_size = "30G"
+      vault_wrapped_token = "s.dtMKPT35AIrbyEiHf9c2UcsB"
+    }
   }
 
   # Compute VM configurations with defaults applied