flake: update homelab-deploy

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
homelab: add deploy.enable option with assertion
2026-02-07 06:53:13 +01:00 · 2026-02-07 06:47:12 +01:00 · 2026-02-07 06:41:03 +01:00 · 2026-02-07 06:27:21 +01:00 · 2026-02-07 06:20:14 +01:00 · 2026-02-07 06:11:37 +01:00
14 changed files with 76 additions and 33 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -28,11 +28,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1770437282,
+        "lastModified": 1770443536,
-        "narHash": "sha256-7C6hheIP8JUkK0Aoib/lQ4xbOaXHoqSe9SJjU2u3t/Q=",
+        "narHash": "sha256-UufZIVggiioMFDSjKx+ifgkDOk9alNSiRmkvc4/+HIA=",
        "ref": "master",
-        "rev": "cf3b1ce2c9e85ad954d8c230161553c5473e9579",
+        "rev": "95b795dcfd86b7b36045bba67e536b3a1c61dd33",
-        "revCount": 12,
+        "revCount": 20,
        "type": "git",
        "url": "https://git.t-juice.club/torjus/homelab-deploy"
      },
--- a/flake.nix
+++ b/flake.nix
@@ -225,11 +225,12 @@
        { pkgs }:
        {
          default = pkgs.mkShell {
-            packages = with pkgs; [
+            packages = [
-              ansible
+              pkgs.ansible
-              opentofu
+              pkgs.opentofu
-              openbao
+              pkgs.openbao
              (pkgs.callPackage ./scripts/create-host { })
              homelab-deploy.packages.${pkgs.system}.default
            ];
          };
        }
--- a/hosts/ha1/configuration.nix
+++ b/hosts/ha1/configuration.nix
@@ -57,6 +57,7 @@
  # Vault secrets management
  vault.enable = true;
  homelab.deploy.enable = true;
  vault.secrets.backup-helper = {
    secretPath = "shared/backup/password";
    extractKey = "password";
--- a/hosts/http-proxy/configuration.nix
+++ b/hosts/http-proxy/configuration.nix
@@ -61,6 +61,7 @@
    "flakes"
  ];
  vault.enable = true;
  homelab.deploy.enable = true;
  nix.settings.tarball-ttl = 0;
  environment.systemPackages = with pkgs; [
--- a/hosts/monitoring01/configuration.nix
+++ b/hosts/monitoring01/configuration.nix
@@ -58,6 +58,7 @@
  # Vault secrets management
  vault.enable = true;
  homelab.deploy.enable = true;
  vault.secrets.backup-helper = {
    secretPath = "shared/backup/password";
    extractKey = "password";
--- a/hosts/nix-cache01/configuration.nix
+++ b/hosts/nix-cache01/configuration.nix
@@ -55,6 +55,7 @@
    "flakes"
  ];
  vault.enable = true;
  homelab.deploy.enable = true;
  nix.settings.tarball-ttl = 0;
  environment.systemPackages = with pkgs; [
--- a/hosts/ns1/configuration.nix
+++ b/hosts/ns1/configuration.nix
@@ -48,6 +48,7 @@
    "flakes"
  ];
  vault.enable = true;
  homelab.deploy.enable = true;
  homelab.host = {
    role = "dns";
--- a/hosts/ns2/configuration.nix
+++ b/hosts/ns2/configuration.nix
@@ -48,6 +48,7 @@
    "flakes"
  ];
  vault.enable = true;
  homelab.deploy.enable = true;
  homelab.host = {
    role = "dns";
--- a/hosts/vaulttest01/configuration.nix
+++ b/hosts/vaulttest01/configuration.nix
@@ -92,6 +92,7 @@ in
  # Testing config
  # Enable Vault secrets management
  vault.enable = true;
  homelab.deploy.enable = true;
  # Define a test secret
  vault.secrets.test-service = {
@@ -101,28 +102,6 @@ in
    services = [ "vault-test" ];
  };
  # Homelab-deploy listener NKey
  vault.secrets.homelab-deploy-nkey = {
    secretPath = "shared/homelab-deploy/listener-nkey";
    extractKey = "nkey";
  };
  # Enable homelab-deploy listener
  services.homelab-deploy.listener = {
    enable = true;
    tier = "test";
    role = "vault";
    natsUrl = "nats://nats1.home.2rjus.net:4222";
    nkeyFile = "/run/secrets/homelab-deploy-nkey";
    flakeUrl = "git+https://git.t-juice.club/torjus/nixos-servers.git";
  };
  # Ensure listener starts after vault secret is available
  systemd.services.homelab-deploy-listener = {
    after = [ "vault-secret-homelab-deploy-nkey.service" ];
    requires = [ "vault-secret-homelab-deploy-nkey.service" ];
  };
  # Create a test service that uses the secret
  systemd.services.vault-test = {
    description = "Test Vault secret fetching";
--- a/modules/homelab/default.nix
+++ b/modules/homelab/default.nix
@@ -1,6 +1,7 @@
 { ... }:
 {
  imports = [
    ./deploy.nix
    ./dns.nix
    ./host.nix
    ./monitoring.nix
--- a/modules/homelab/deploy.nix
+++ b/modules/homelab/deploy.nix
@@ -0,0 +1,16 @@
 { config, lib, ... }:
 {
  options.homelab.deploy = {
    enable = lib.mkEnableOption "homelab-deploy listener for NATS-based deployments";
  };
  config = {
    assertions = [
      {
        assertion = config.homelab.deploy.enable -> config.vault.enable;
        message = "homelab.deploy.enable requires vault.enable to be true (needed for NKey secret)";
      }
    ];
  };
 }
--- a/system/default.nix
+++ b/system/default.nix
@@ -3,6 +3,7 @@
  imports = [
    ./acme.nix
    ./autoupgrade.nix
    ./homelab-deploy.nix
    ./monitoring
    ./motd.nix
    ./packages.nix
--- a/system/homelab-deploy.nix
+++ b/system/homelab-deploy.nix
@@ -0,0 +1,30 @@
 { config, lib, ... }:
 let
  hostCfg = config.homelab.host;
 in
 {
  config = lib.mkIf config.homelab.deploy.enable {
    # Fetch listener NKey from Vault
    vault.secrets.homelab-deploy-nkey = {
      secretPath = "shared/homelab-deploy/listener-nkey";
      extractKey = "nkey";
    };
    # Enable homelab-deploy listener
    services.homelab-deploy.listener = {
      enable = true;
      tier = hostCfg.tier;
      role = hostCfg.role;
      natsUrl = "nats://nats1.home.2rjus.net:4222";
      nkeyFile = "/run/secrets/homelab-deploy-nkey";
      flakeUrl = "git+https://git.t-juice.club/torjus/nixos-servers.git";
    };
    # Ensure listener starts after vault secret is available
    systemd.services.homelab-deploy-listener = {
      after = [ "vault-secret-homelab-deploy-nkey.service" ];
      requires = [ "vault-secret-homelab-deploy-nkey.service" ];
    };
  };
 }
--- a/terraform/vault/approle.tf
+++ b/terraform/vault/approle.tf
@@ -4,6 +4,17 @@ resource "vault_auth_backend" "approle" {
  path = "approle"
 }
 # Shared policy for homelab-deploy (all hosts need this for NATS-based deployments)
 resource "vault_policy" "homelab_deploy" {
  name = "homelab-deploy"
  policy = <<EOT
 path "secret/data/shared/homelab-deploy/*" {
  capabilities = ["read", "list"]
 }
 EOT
 }
 # Define host access policies
 locals {
  host_policies = {
@@ -90,11 +101,9 @@ locals {
      ]
    }
    # Vault test host with homelab-deploy access
    "vaulttest01" = {
      paths = [
        "secret/data/hosts/vaulttest01/*",
        "secret/data/shared/homelab-deploy/*",
      ]
    }
  }
@@ -122,7 +131,7 @@ resource "vault_approle_auth_backend_role" "hosts" {
  backend   = vault_auth_backend.approle.path
  role_name = each.key
  token_policies = concat(
-    ["${each.key}-policy"],
+    ["${each.key}-policy", "homelab-deploy"],
    lookup(each.value, "extra_policies", [])
  )
Author	SHA1	Message	Date
Torjus Håkestad	2669b10f0e	flake: update homelab-deploy Some checks failed Run nix flake check / flake-check (push) Has been cancelled Details Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-07 06:53:13 +01:00
Torjus Håkestad	db6d610e16	homelab: add deploy.enable option with assertion All checks were successful Run nix flake check / flake-check (push) Successful in 2m3s Details - Add homelab.deploy.enable option (requires vault.enable) - Create shared homelab-deploy Vault policy for all hosts - Enable homelab.deploy on all vault-enabled hosts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-07 06:47:12 +01:00
Torjus Håkestad	e4eb8afe5c	system: enable homelab-deploy listener for all vault hosts All checks were successful Run nix flake check / flake-check (push) Successful in 2m4s Details Add system/homelab-deploy.nix module that automatically enables the listener on all hosts with vault.enable=true. Uses homelab.host.tier and homelab.host.role for NATS subject subscriptions. - Add homelab-deploy access to all host AppRole policies - Remove manual listener config from vaulttest01 (now handled by system module) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-07 06:41:03 +01:00
Torjus Håkestad	df9246a0f8	flake: update homelab-deploy Some checks failed Run nix flake check / flake-check (push) Failing after 12m46s Details Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-07 06:27:21 +01:00
Torjus Håkestad	ec3b87f7fa	flake: update homelab-deploy All checks were successful Run nix flake check / flake-check (push) Successful in 2m5s Details Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-07 06:20:14 +01:00
Torjus Håkestad	913fa11c64	flake: update homelab-deploy Some checks failed Run nix flake check / flake-check (push) Failing after 3m39s Details Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-07 06:11:37 +01:00
Torjus Håkestad	3e85e2527f	flake: update homelab-deploy All checks were successful Run nix flake check / flake-check (push) Successful in 2m7s Details Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-07 05:58:26 +01:00
Torjus Håkestad	543ca18b14	flake: update homelab-deploy All checks were successful Run nix flake check / flake-check (push) Successful in 2m6s Details Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-07 05:54:05 +01:00
Torjus Håkestad	c83218b3bc	flake: update homelab-deploy, add to devShell All checks were successful Run nix flake check / flake-check (push) Successful in 2m6s Details Update homelab-deploy to include bugfix. Add CLI to devShell for easier testing and deployment operations. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-07 05:45:54 +01:00