torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

add-deploy-homelab #28

Merged
torjus merged 5 commits from add-deploy-homelab into master 2026-02-07 05:56:52 +00:00
Conversation 0 Commits 5 Files Changed 17 +193 -11
torjus commented 2026-02-07 05:56:01 +00:00
Owner
Copy Link

Summary

Add NATS-based deployment system using homelab-deploy for message-driven deployments across the fleet.

Changes

  • New flake input: homelab-deploy from git.t-juice.club
  • NATS DEPLOY account: Three-tier access control (listener, test-deployer, admin-deployer)
  • New option: homelab.deploy.enable - opt-in per host, requires vault.enable
  • Shared Vault policy: homelab-deploy policy added to all AppRoles
  • System module: system/homelab-deploy.nix auto-configures listener when enabled
  • CLI in devShell: homelab-deploy command available via nix develop

Hosts Enabled

  • ha1, http-proxy, monitoring01, nix-cache01, ns1, ns2, vaulttest01

Terraform Changes

  • New homelab-deploy policy for secret/data/shared/homelab-deploy/*
  • All AppRoles automatically receive this policy
  • Three NKey secrets in shared/homelab-deploy/

Post-Merge Steps

  1. Run tofu apply in terraform/vault/ to create policy and secrets
  2. Generate real NKeys with nk -gen user -pubout and update terraform.tfvars
  3. Re-run tofu apply with real NKey values
  4. Deploy hosts (or wait for auto-upgrade)
  5. Verify listeners: systemctl status homelab-deploy-listener

Usage

# From devShell
nix develop
homelab-deploy deploy --nats-url nats://nats1.home.2rjus.net:4222 \
  --nkey-file /path/to/deployer.nkey deploy.test.<hostname>

Subjects:

  • deploy.test.<hostname> - specific host
  • deploy.test.all - all test-tier hosts
  • deploy.test.role.<role> - hosts by role
  • deploy.prod.* - production tier (same patterns)
## Summary Add NATS-based deployment system using `homelab-deploy` for message-driven deployments across the fleet. ### Changes - **New flake input**: `homelab-deploy` from git.t-juice.club - **NATS DEPLOY account**: Three-tier access control (listener, test-deployer, admin-deployer) - **New option**: `homelab.deploy.enable` - opt-in per host, requires `vault.enable` - **Shared Vault policy**: `homelab-deploy` policy added to all AppRoles - **System module**: `system/homelab-deploy.nix` auto-configures listener when enabled - **CLI in devShell**: `homelab-deploy` command available via `nix develop` ### Hosts Enabled - ha1, http-proxy, monitoring01, nix-cache01, ns1, ns2, vaulttest01 ### Terraform Changes - New `homelab-deploy` policy for `secret/data/shared/homelab-deploy/*` - All AppRoles automatically receive this policy - Three NKey secrets in `shared/homelab-deploy/` ### Post-Merge Steps 1. Run `tofu apply` in `terraform/vault/` to create policy and secrets 2. Generate real NKeys with `nk -gen user -pubout` and update `terraform.tfvars` 3. Re-run `tofu apply` with real NKey values 4. Deploy hosts (or wait for auto-upgrade) 5. Verify listeners: `systemctl status homelab-deploy-listener` ### Usage ```bash # From devShell nix develop homelab-deploy deploy --nats-url nats://nats1.home.2rjus.net:4222 \ --nkey-file /path/to/deployer.nkey deploy.test.<hostname> ``` Subjects: - `deploy.test.<hostname>` - specific host - `deploy.test.all` - all test-tier hosts - `deploy.test.role.<role>` - hosts by role - `deploy.prod.*` - production tier (same patterns)
torjus added 5 commits 2026-02-07 05:56:01 +00:00
homelab-deploy: add NATS-based deployment system
Some checks failed
Run nix flake check / flake-check (push) Failing after 3m45s
Details
ad8570f8db 
Add homelab-deploy flake input and NixOS module for message-based
deployments across the fleet. Configure DEPLOY account in NATS with
tiered access control (listener, test-deployer, admin-deployer).
Enable listener on vaulttest01 as initial test host.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
vaulttest01: add vault secret dependency to listener
Some checks failed
Run nix flake check / flake-check (push) Failing after 15m32s
Details
0643f23281 
Ensure homelab-deploy-listener waits for the NKey secret to be
fetched from Vault before starting.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
flake: update homelab-deploy, add to devShell 13c3897e86 
Update homelab-deploy to include bugfix. Add CLI to devShell for
easier testing and deployment operations.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
system: enable homelab-deploy listener for all vault hosts 7933127d77 
Add system/homelab-deploy.nix module that automatically enables the
listener on all hosts with vault.enable=true. Uses homelab.host.tier
and homelab.host.role for NATS subject subscriptions.

- Add homelab-deploy access to all host AppRole policies
- Remove manual listener config from vaulttest01 (now handled by system module)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
homelab: add deploy.enable option with assertion
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m6s
Details
Run nix flake check / flake-check (pull_request) Successful in 2m7s
Details
c214f8543c 
- Add homelab.deploy.enable option (requires vault.enable)
- Create shared homelab-deploy Vault policy for all hosts
- Enable homelab.deploy on all vault-enabled hosts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
torjus merged commit 6e93b8eae3 into master 2026-02-07 05:56:52 +00:00
torjus deleted branch add-deploy-homelab 2026-02-07 05:56:52 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
torjus
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: torjus/nixos-servers#28
Delete Branch "add-deploy-homelab"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?