Torjus Håkestad
db6d610e16
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m3s
- Add homelab.deploy.enable option (requires vault.enable) - Create shared homelab-deploy Vault policy for all hosts - Enable homelab.deploy on all vault-enabled hosts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
31 lines
879 B
Nix
31 lines
879 B
Nix
{ config, lib, ... }:
|
|
|
|
let
|
|
hostCfg = config.homelab.host;
|
|
in
|
|
{
|
|
config = lib.mkIf config.homelab.deploy.enable {
|
|
# Fetch listener NKey from Vault
|
|
vault.secrets.homelab-deploy-nkey = {
|
|
secretPath = "shared/homelab-deploy/listener-nkey";
|
|
extractKey = "nkey";
|
|
};
|
|
|
|
# Enable homelab-deploy listener
|
|
services.homelab-deploy.listener = {
|
|
enable = true;
|
|
tier = hostCfg.tier;
|
|
role = hostCfg.role;
|
|
natsUrl = "nats://nats1.home.2rjus.net:4222";
|
|
nkeyFile = "/run/secrets/homelab-deploy-nkey";
|
|
flakeUrl = "git+https://git.t-juice.club/torjus/nixos-servers.git";
|
|
};
|
|
|
|
# Ensure listener starts after vault secret is available
|
|
systemd.services.homelab-deploy-listener = {
|
|
after = [ "vault-secret-homelab-deploy-nkey.service" ];
|
|
requires = [ "vault-secret-homelab-deploy-nkey.service" ];
|
|
};
|
|
};
|
|
}
|