torjus/nixos-servers
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
bbb22e588e89ef764cec531531e6c4c19f7e3d60
nixos-servers/services/monitoring/alerttonotify.nix
Torjus Håkestad 0700033c0a secrets: migrate all hosts from sops to OpenBao vault 
Replace sops-nix secrets with OpenBao vault secrets across all hosts.
Hardcode root password hash, add extractKey option to vault-secrets
module, update Terraform with secrets/policies for all hosts, and
create AppRole provisioning playbook.

Hosts migrated: ha1, monitoring01, ns1, ns2, http-proxy, nix-cache01
Wave 1 hosts (nats1, jelly01, pgdb1) get AppRole policies only.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 18:43:09 +01:00

50 lines
1.3 KiB
Nix
Raw Blame History

{ pkgs, config, ... }:
{
vault.secrets.nats-nkey = {
secretPath = "shared/nats/nkey";
extractKey = "nkey";
outputDir = "/run/secrets/nats_nkey";
services = [ "alerttonotify" ];
};
systemd.services."alerttonotify" = {
enable = true;
wants = [ "network-online.target" ];
after = [
"network-online.target"
"vault-secret-nats-nkey.service"
];
wantedBy = [ "multi-user.target" ];
restartIfChanged = true;
environment = {
NATS_URL = "nats://nats1.home.2rjus.net:4222";
NATS_NKEY_FILE = "%d/nats_nkey";
};
serviceConfig = {
Type = "exec";
ExecStart = "${pkgs.alerttonotify}/bin/alerttonotify";
CapabilityBoundingSet = "";
DynamicUser = "yes";
LoadCredential = "nats_nkey:/run/secrets/nats_nkey";
LockPersonality = "yes";
MemoryDenyWriteExecute = "yes";
PrivateDevices = "yes";
PrivateUsers = "yes";
ProtectClock = "yes";
ProtectControlGroups = "yes";
ProtectHome = "yes";
ProtectHostname = "yes";
ProtectKernelLogs = "yes";
ProtectKernelModules = "yes";
RestrictAddressFamilies = "AF_INET AF_INET6";
RestrictNamespaces = "yes";
RestrictRealtime = "yes";
SystemCallArchitectures = "native";
SystemCallFilter = "~@privileged";
};
};
}
Reference in New Issue View Git Blame Copy Permalink