add-deploy-homelab #28
8
flake.lock
generated
8
flake.lock
generated
@@ -28,11 +28,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1770442013,
|
||||
"narHash": "sha256-JZbm6X0A770bb+VlbJYvRHrVqWOSsmu6Hn4B8nvsPc8=",
|
||||
"lastModified": 1770443536,
|
||||
"narHash": "sha256-UufZIVggiioMFDSjKx+ifgkDOk9alNSiRmkvc4/+HIA=",
|
||||
"ref": "master",
|
||||
"rev": "71d6aa8b614f557d029bfc2e64375c812ed7bc10",
|
||||
"revCount": 19,
|
||||
"rev": "95b795dcfd86b7b36045bba67e536b3a1c61dd33",
|
||||
"revCount": 20,
|
||||
"type": "git",
|
||||
"url": "https://git.t-juice.club/torjus/homelab-deploy"
|
||||
},
|
||||
|
||||
@@ -57,6 +57,7 @@
|
||||
|
||||
# Vault secrets management
|
||||
vault.enable = true;
|
||||
homelab.deploy.enable = true;
|
||||
vault.secrets.backup-helper = {
|
||||
secretPath = "shared/backup/password";
|
||||
extractKey = "password";
|
||||
|
||||
@@ -61,6 +61,7 @@
|
||||
"flakes"
|
||||
];
|
||||
vault.enable = true;
|
||||
homelab.deploy.enable = true;
|
||||
|
||||
nix.settings.tarball-ttl = 0;
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
||||
@@ -58,6 +58,7 @@
|
||||
|
||||
# Vault secrets management
|
||||
vault.enable = true;
|
||||
homelab.deploy.enable = true;
|
||||
vault.secrets.backup-helper = {
|
||||
secretPath = "shared/backup/password";
|
||||
extractKey = "password";
|
||||
|
||||
@@ -55,6 +55,7 @@
|
||||
"flakes"
|
||||
];
|
||||
vault.enable = true;
|
||||
homelab.deploy.enable = true;
|
||||
|
||||
nix.settings.tarball-ttl = 0;
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
||||
@@ -48,6 +48,7 @@
|
||||
"flakes"
|
||||
];
|
||||
vault.enable = true;
|
||||
homelab.deploy.enable = true;
|
||||
|
||||
homelab.host = {
|
||||
role = "dns";
|
||||
|
||||
@@ -48,6 +48,7 @@
|
||||
"flakes"
|
||||
];
|
||||
vault.enable = true;
|
||||
homelab.deploy.enable = true;
|
||||
|
||||
homelab.host = {
|
||||
role = "dns";
|
||||
|
||||
@@ -92,6 +92,7 @@ in
|
||||
# Testing config
|
||||
# Enable Vault secrets management
|
||||
vault.enable = true;
|
||||
homelab.deploy.enable = true;
|
||||
|
||||
# Define a test secret
|
||||
vault.secrets.test-service = {
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{ ... }:
|
||||
{
|
||||
imports = [
|
||||
./deploy.nix
|
||||
./dns.nix
|
||||
./host.nix
|
||||
./monitoring.nix
|
||||
|
||||
16
modules/homelab/deploy.nix
Normal file
16
modules/homelab/deploy.nix
Normal file
@@ -0,0 +1,16 @@
|
||||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
options.homelab.deploy = {
|
||||
enable = lib.mkEnableOption "homelab-deploy listener for NATS-based deployments";
|
||||
};
|
||||
|
||||
config = {
|
||||
assertions = [
|
||||
{
|
||||
assertion = config.homelab.deploy.enable -> config.vault.enable;
|
||||
message = "homelab.deploy.enable requires vault.enable to be true (needed for NKey secret)";
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
@@ -1,11 +1,10 @@
|
||||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.vault;
|
||||
hostCfg = config.homelab.host;
|
||||
in
|
||||
{
|
||||
config = lib.mkIf cfg.enable {
|
||||
config = lib.mkIf config.homelab.deploy.enable {
|
||||
# Fetch listener NKey from Vault
|
||||
vault.secrets.homelab-deploy-nkey = {
|
||||
secretPath = "shared/homelab-deploy/listener-nkey";
|
||||
|
||||
@@ -4,6 +4,17 @@ resource "vault_auth_backend" "approle" {
|
||||
path = "approle"
|
||||
}
|
||||
|
||||
# Shared policy for homelab-deploy (all hosts need this for NATS-based deployments)
|
||||
resource "vault_policy" "homelab_deploy" {
|
||||
name = "homelab-deploy"
|
||||
|
||||
policy = <<EOT
|
||||
path "secret/data/shared/homelab-deploy/*" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
EOT
|
||||
}
|
||||
|
||||
# Define host access policies
|
||||
locals {
|
||||
host_policies = {
|
||||
@@ -30,7 +41,6 @@ locals {
|
||||
paths = [
|
||||
"secret/data/hosts/ha1/*",
|
||||
"secret/data/shared/backup/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
@@ -39,7 +49,6 @@ locals {
|
||||
"secret/data/hosts/monitoring01/*",
|
||||
"secret/data/shared/backup/*",
|
||||
"secret/data/shared/nats/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
extra_policies = ["prometheus-metrics"]
|
||||
}
|
||||
@@ -48,21 +57,18 @@ locals {
|
||||
"nats1" = {
|
||||
paths = [
|
||||
"secret/data/hosts/nats1/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
"jelly01" = {
|
||||
paths = [
|
||||
"secret/data/hosts/jelly01/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
"pgdb1" = {
|
||||
paths = [
|
||||
"secret/data/hosts/pgdb1/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
@@ -71,7 +77,6 @@ locals {
|
||||
paths = [
|
||||
"secret/data/hosts/ns1/*",
|
||||
"secret/data/shared/dns/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
@@ -79,7 +84,6 @@ locals {
|
||||
paths = [
|
||||
"secret/data/hosts/ns2/*",
|
||||
"secret/data/shared/dns/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
@@ -87,7 +91,6 @@ locals {
|
||||
"http-proxy" = {
|
||||
paths = [
|
||||
"secret/data/hosts/http-proxy/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
@@ -95,14 +98,12 @@ locals {
|
||||
"nix-cache01" = {
|
||||
paths = [
|
||||
"secret/data/hosts/nix-cache01/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
|
||||
"vaulttest01" = {
|
||||
paths = [
|
||||
"secret/data/hosts/vaulttest01/*",
|
||||
"secret/data/shared/homelab-deploy/*",
|
||||
]
|
||||
}
|
||||
}
|
||||
@@ -130,7 +131,7 @@ resource "vault_approle_auth_backend_role" "hosts" {
|
||||
backend = vault_auth_backend.approle.path
|
||||
role_name = each.key
|
||||
token_policies = concat(
|
||||
["${each.key}-policy"],
|
||||
["${each.key}-policy", "homelab-deploy"],
|
||||
lookup(each.value, "extra_policies", [])
|
||||
)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user