Torjus Håkestad
7933127d77
Add system/homelab-deploy.nix module that automatically enables the listener on all hosts with vault.enable=true. Uses homelab.host.tier and homelab.host.role for NATS subject subscriptions. - Add homelab-deploy access to all host AppRole policies - Remove manual listener config from vaulttest01 (now handled by system module) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
32 lines
883 B
Nix
32 lines
883 B
Nix
{ config, lib, ... }:
|
|
|
|
let
|
|
cfg = config.vault;
|
|
hostCfg = config.homelab.host;
|
|
in
|
|
{
|
|
config = lib.mkIf cfg.enable {
|
|
# Fetch listener NKey from Vault
|
|
vault.secrets.homelab-deploy-nkey = {
|
|
secretPath = "shared/homelab-deploy/listener-nkey";
|
|
extractKey = "nkey";
|
|
};
|
|
|
|
# Enable homelab-deploy listener
|
|
services.homelab-deploy.listener = {
|
|
enable = true;
|
|
tier = hostCfg.tier;
|
|
role = hostCfg.role;
|
|
natsUrl = "nats://nats1.home.2rjus.net:4222";
|
|
nkeyFile = "/run/secrets/homelab-deploy-nkey";
|
|
flakeUrl = "git+https://git.t-juice.club/torjus/nixos-servers.git";
|
|
};
|
|
|
|
# Ensure listener starts after vault secret is available
|
|
systemd.services.homelab-deploy-listener = {
|
|
after = [ "vault-secret-homelab-deploy-nkey.service" ];
|
|
requires = [ "vault-secret-homelab-deploy-nkey.service" ];
|
|
};
|
|
};
|
|
}
|