From 60c04a205279baf502eebdb38a032ddacb89279d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sun, 8 Feb 2026 23:57:28 +0100
Subject: [PATCH] nixos-exporter: enable NATS cache sharing

When one host fetches the latest flake revision, it publishes to NATS
and all other hosts receive the update immediately. This reduces
redundant nix flake metadata calls across the fleet.

- Add nkeys to devshell for key generation
- Add nixos-exporter user to NATS HOMELAB account
- Add Vault secret for NKey storage
- Configure all hosts to use NATS for revision sharing
- Update nixos-exporter input to version with NATS support

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 flake.lock                    |  8 ++++----
 flake.nix                     |  1 +
 services/nats/default.nix     |  9 +++++++++
 system/monitoring/metrics.nix | 17 +++++++++++++++++
 terraform/vault/secrets.tf    |  6 ++++++
 terraform/vault/variables.tf  |  7 +++++++
 6 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/flake.lock b/flake.lock
index 791e900..51d5942 100644
--- a/flake.lock
+++ b/flake.lock
@@ -49,11 +49,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770422522,
-        "narHash": "sha256-WmIFnquu4u58v8S2bOVWmknRwHn4x88CRfBFTzJ1inQ=",
+        "lastModified": 1770590420,
+        "narHash": "sha256-Gih+2ufQXcZQzrlSrgZWcG7u9TjQT7z/6qybnX5yJn8=",
         "ref": "refs/heads/master",
-        "rev": "cf0ce858997af4d8dcc2ce10393ff393e17fc911",
-        "revCount": 11,
+        "rev": "acfb142788dc994cf64931f55063393d807c6ebf",
+        "revCount": 14,
         "type": "git",
         "url": "https://git.t-juice.club/torjus/nixos-exporter"
       },
diff --git a/flake.nix b/flake.nix
index 6e7936a..861f002 100644
--- a/flake.nix
+++ b/flake.nix
@@ -217,6 +217,7 @@
               pkgs.opentofu
               pkgs.openbao
               pkgs.kanidm_1_8
+              pkgs.nkeys
               (pkgs.callPackage ./scripts/create-host { })
               homelab-deploy.packages.${pkgs.system}.default
             ];
diff --git a/services/nats/default.nix b/services/nats/default.nix
index fdb7ce3..bb0a94f 100644
--- a/services/nats/default.nix
+++ b/services/nats/default.nix
@@ -35,9 +35,18 @@
         HOMELAB = {
           jetstream = "enabled";
           users = [
+            # alerttonotify (full access to HOMELAB account)
             {
               nkey = "UASLNKLWGICRTZMIXVD3RXLQ57XRIMCKBHP5V3PYFFRNO3E3BIJBCYMZ";
             }
+            # nixos-exporter (restricted to nixos-exporter subjects)
+            {
+              nkey = "UBCL3ODHVERVZJNGUJ567YBBKHQZOV3LK3WO6TVVSGQOCTK2NQ3IJVRV"; # Replace with public key from: nix develop -c nk -gen user -pubout
+              permissions = {
+                publish = [ "nixos-exporter.>" ];
+                subscribe = [ "nixos-exporter.>" ];
+              };
+            }
           ];
         };
 
diff --git a/system/monitoring/metrics.nix b/system/monitoring/metrics.nix
index 3a1ec44..81b324e 100644
--- a/system/monitoring/metrics.nix
+++ b/system/monitoring/metrics.nix
@@ -19,15 +19,32 @@
     ];
   };
 
+  # Fetch NKey from Vault for NATS authentication
+  vault.secrets.nixos-exporter-nkey = {
+    secretPath = "shared/nixos-exporter/nkey";
+    extractKey = "nkey";
+  };
+
   services.prometheus.exporters.nixos = {
     enable = true;
     # Default port: 9971
     flake = {
       enable = true;
       url = "git+https://git.t-juice.club/torjus/nixos-servers.git";
+      nats = {
+        enable = true;
+        url = "nats://nats1.home.2rjus.net:4222";
+        credentialsFile = "/run/secrets/nixos-exporter-nkey";
+      };
     };
   };
 
+  # Ensure exporter starts after Vault secret is available
+  systemd.services.prometheus-nixos-exporter = {
+    after = [ "vault-secret-nixos-exporter-nkey.service" ];
+    requires = [ "vault-secret-nixos-exporter-nkey.service" ];
+  };
+
   # Register nixos-exporter as a Prometheus scrape target
   homelab.monitoring.scrapeTargets = [
     {
diff --git a/terraform/vault/secrets.tf b/terraform/vault/secrets.tf
index 2d257c5..f16e585 100644
--- a/terraform/vault/secrets.tf
+++ b/terraform/vault/secrets.tf
@@ -114,6 +114,12 @@ locals {
       auto_generate   = true
       password_length = 64
     }
+
+    # NKey for nixos-exporter NATS cache sharing
+    "shared/nixos-exporter/nkey" = {
+      auto_generate = false
+      data          = { nkey = var.nixos_exporter_nkey }
+    }
   }
 }
 
diff --git a/terraform/vault/variables.tf b/terraform/vault/variables.tf
index f53cb4f..928abd6 100644
--- a/terraform/vault/variables.tf
+++ b/terraform/vault/variables.tf
@@ -73,3 +73,10 @@ variable "homelab_deploy_admin_deployer_nkey" {
   sensitive   = true
 }
 
+variable "nixos_exporter_nkey" {
+  description = "NKey seed for nixos-exporter NATS authentication"
+  type        = string
+  default     = "PLACEHOLDER"
+  sensitive   = true
+}
+
-- 
2.49.1