diff --git a/nixos/common/default.nix b/nixos/common/default.nix index 65343dc..a0fa94f 100644 --- a/nixos/common/default.nix +++ b/nixos/common/default.nix @@ -67,7 +67,7 @@ }; vault-secrets = lib.mkIf (config.networking.domain == "olympus") { - vaultPrefix = "secrets/nixos"; + vaultPrefix = "olympus_secrets/nixos"; vaultAddress = "http://vault.olympus:8200/"; approlePrefix = "olympus-${config.networking.hostName}"; }; diff --git a/nixos/hosts/olympus/vault/configuration.nix b/nixos/hosts/olympus/vault/configuration.nix index 23e416a..6121864 100644 --- a/nixos/hosts/olympus/vault/configuration.nix +++ b/nixos/hosts/olympus/vault/configuration.nix @@ -2,8 +2,10 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, ... }: -let port = 8200; +{ config, pkgs, hosts, ... }: +let + port = 8200; + clusterPort = 8201; in { # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions @@ -17,17 +19,23 @@ in { environment.systemPackages = with pkgs; [ ]; # Vault - networking.firewall.allowedTCPPorts = [ port ]; + networking.firewall.allowedTCPPorts = [ port clusterPort ]; services.vault = { enable = true; # bin version includes the UI package = pkgs.vault-bin; address = "0.0.0.0:${toString port}"; - storageBackend = "file"; - storagePath = "/var/lib/vault"; + storageBackend = "raft"; + storagePath = "/var/lib/vault-raft"; + storageConfig = '' + node_id = "olympus-1" + ''; extraConfig = '' ui = true + disable_mlock = true + api_addr = "http://10.42.42.6:${toString port}" + cluster_addr = "http://10.42.42.6:${toString clusterPort}" ''; }; } diff --git a/nixos/hosts/olympus/vault/migrate.hcl b/nixos/hosts/olympus/vault/migrate.hcl new file mode 100644 index 0000000..4717ae0 --- /dev/null +++ b/nixos/hosts/olympus/vault/migrate.hcl @@ -0,0 +1,10 @@ +storage_source "file" { + path = "/var/lib/vault" +} + +storage_destination "raft" { + path = "/var/lib/vault-raft" + node_id = "olympus-1" +} + +cluster_addr = "http://vault.olympus:8201"