modularized vault config

flake.nix

@@ -53,7 +53,7 @@
     } @ inputs:
     let
       inherit (nixpkgs) lib;
-      inherit (builtins) filter mapAttrs attrValues concatLists;
+      inherit (builtins) mapAttrs;
 
       util = import ./util.nix inputs;
 

nixos/common/modules/default.nix

@@ -4,5 +4,6 @@
     ./flood.nix
     ./unpackerr.nix
     ./vmagent.nix
+    ./vault.nix
   ];
 }

nixos/common/modules/vault.nix

@@ -0,0 +1,75 @@
+{ config, pkgs, lib, flat_hosts, ... }:
+with lib;
+let
+  cfg = config.services.v.vault;
+  hostIP = config.deployment.targetHost;
+
+  vault_hosts =
+    filter ({ tags ? [ ], ip ? "", ... }: (elem "vault" tags) && (ip != hostIP))
+    flat_hosts;
+  cluster_config = concatStrings (map ({ ip, ... }: ''
+    retry_join {
+      leader_api_addr = "http://${ip}:${toString cfg.port}"
+    }
+  '') vault_hosts);
+in {
+  options.services.v.vault = {
+    enable = mkEnableOption "v.vault";
+
+    node_id = mkOption {
+      type = types.str;
+      description = ''
+        The cluster node id of this node
+      '';
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to open port port and clusterPort in the firewall for vault
+      '';
+    };
+
+    port = mkOption {
+      type = types.int;
+      default = 8200;
+      description = ''
+        The port vault listens on
+        **note:** this has to be the same for all nodes in a cluster
+      '';
+    };
+
+    clusterPort = mkOption {
+      type = types.int;
+      default = 8201;
+      description = ''
+        The cluster port vault listens on
+        **note:** this has to be the same for all nodes in a cluster
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts =
+      mkIf cfg.openFirewall [ cfg.port cfg.clusterPort ];
+
+    services.vault = {
+      enable = true;
+      # bin version includes the UI
+      package = pkgs.vault-bin;
+      address = "0.0.0.0:${toString cfg.port}";
+      storageBackend = "raft";
+      storagePath = "/var/lib/vault-raft";
+      storageConfig = ''
+        node_id = "${cfg.node_id}"
+      '' + cluster_config;
+      extraConfig = ''
+        ui = true
+        disable_mlock = true
+        api_addr = "http://${hostIP}:${toString cfg.port}"
+        cluster_addr = "http://${hostIP}:${toString cfg.clusterPort}"
+      '';
+    };
+  };
+}

nixos/hosts/hades/default.nix

@@ -33,6 +33,7 @@
     hostname = "vault-0";
     ip = "192.168.0.103";
     mac = "7A:14:15:ED:D1:E6";
+    tags = [ "vault" ];
   }
   {
     hostname = "MariaDB";

nixos/hosts/hades/vault-0/configuration.nix

@@ -2,11 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ config, pkgs, hosts, ... }:
-let 
-  port = 8200;
-  clusterPort = 8201;
-in {
+{ config, pkgs, hosts, ... }: {
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
@@ -16,31 +12,9 @@ in {
   system.stateVersion = "21.05"; # Did you read the comment?
 
   # Vault
-  networking.firewall.allowedTCPPorts = [ port clusterPort ];
-
-  services.vault = {
+  services.v.vault = {
     enable = true;
-    # bin version includes the UI
-    package = pkgs.vault-bin;
-    address = "0.0.0.0:${toString port}";
-    storageBackend = "raft";
-    storagePath = "/var/lib/vault-raft";
-    storageConfig = ''
-      node_id = "hades-1"
-
-      retry_join {
-        leader_api_addr = "http://10.42.42.30:${toString port}"
-      }
-
-      retry_join {
-        leader_api_addr = "http://10.42.42.6:${toString port}"
-      }
-    '';
-    extraConfig = ''
-      ui = true
-      disable_mlock = true
-      api_addr = "http://192.168.0.103:${toString port}"
-      cluster_addr = "http://192.168.0.103:${toString clusterPort}"
-    '';
+    openFirewall = true;
+    node_id = "hades-1";
   };
 }

nixos/hosts/olympus/default.nix

@@ -30,6 +30,7 @@
     ip = "10.42.42.6";
     mac = "16:2B:87:55:0C:0C";
     profile = "vault-0";
+    tags = [ "vault" ];
   }
   {
     hostname = "mosquitto";
@@ -155,6 +156,7 @@
     ip = "10.42.42.30";
     mac = "26:69:0E:7C:B3:79";
     profile = "vault-1";
+    tags = [ "vault" ];
   }
   {
     hostname = "nuc";

nixos/hosts/olympus/vault-0/configuration.nix

@@ -3,9 +3,10 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, pkgs, hosts, ... }:
-let 
+let
   port = 8200;
   clusterPort = 8201;
+  ip = config.deployment.targetHost;
 in {
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
@@ -15,31 +16,10 @@ in {
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "21.05"; # Did you read the comment?
 
-  # Additional packages
-  environment.systemPackages = with pkgs; [ ];
-
   # Vault
-  networking.firewall.allowedTCPPorts = [ port clusterPort ];
-
-  services.vault = {
+  services.v.vault = {
     enable = true;
-    # bin version includes the UI
-    package = pkgs.vault-bin;
-    address = "0.0.0.0:${toString port}";
-    storageBackend = "raft";
-    storagePath = "/var/lib/vault-raft";
-    storageConfig = ''
-      node_id = "olympus-1"
-
-      retry_join {
-        leader_api_addr = "http://10.42.42.30:${toString port}"
-      }
-    '';
-    extraConfig = ''
-      ui = true
-      disable_mlock = true
-      api_addr = "http://10.42.42.6:${toString port}"
-      cluster_addr = "http://10.42.42.6:${toString clusterPort}"
-    '';
+    openFirewall = true;
+    node_id = "olympus-1";
   };
 }

nixos/hosts/olympus/vault-1/configuration.nix

@@ -15,31 +15,13 @@ in {
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "21.05"; # Did you read the comment?
 
-  # Additional packages
-  environment.systemPackages = with pkgs; [ ];
-
   # Vault
   networking.firewall.allowedTCPPorts = [ port clusterPort ];
 
-  services.vault = {
+  # Vault
+  services.v.vault = {
     enable = true;
-    # bin version includes the UI
-    package = pkgs.vault-bin;
-    address = "0.0.0.0:${toString port}";
-    storageBackend = "raft";
-    storagePath = "/var/lib/vault-raft";
-    storageConfig = ''
-      node_id = "olympus-2"
-
-      retry_join {
-        leader_api_addr = "http://10.42.42.6:${toString port}"
-      }
-    '';
-    extraConfig = ''
-      ui = true
-      disable_mlock = true
-      api_addr = "http://10.42.42.30:${toString port}"
-      cluster_addr = "http://10.42.42.30:${toString clusterPort}"
-    '';
+    openFirewall = true;
+    node_id = "olympus-2";
   };
 }

nixos/hosts/thalassa/null/configuration.nix

@@ -30,22 +30,18 @@ let
 
     exec Hyprland
   '';
-in
-{
-  imports =
-    [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ./networking.nix
-    ];
+in {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./networking.nix
+  ];
 
   # home-manager
   home-manager.useGlobalPkgs = true;
   home-manager.useUserPackages = true;
   home-manager.users.victor = import ./home;
-  home-manager.extraSpecialArgs = {
-    inherit inputs;
-  };
+  home-manager.extraSpecialArgs = { inherit inputs; };
 
   security.pam.services.swaylock = { };
 
@@ -58,7 +54,10 @@ in
       noto-fonts-cjk
       noto-fonts-emoji
       dejavu_fonts
-      (nerdfonts.override { fonts = [ "DejaVuSansMono" "Ubuntu" "DroidSansMono" "NerdFontsSymbolsOnly" ]; })
+      (nerdfonts.override {
+        fonts =
+          [ "DejaVuSansMono" "Ubuntu" "DroidSansMono" "NerdFontsSymbolsOnly" ];
+      })
     ];
 
     enableDefaultFonts = false;
@@ -66,8 +65,10 @@ in
     fontconfig = {
       defaultFonts = {
         monospace = [ "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
-        sansSerif = [ "DejaVu Sans" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
-        serif = [ "DejaVu Serif" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
+        sansSerif =
+          [ "DejaVu Sans" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
+        serif =
+          [ "DejaVu Serif" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
         emoji = [ "Noto Color Emoji" ];
       };
     };
@@ -76,7 +77,7 @@ in
   # Bootloader.
   # boot.initrd.systemd.enable = true; # Experimental
   boot = {
-    kernelPackages = pkgs.linuxPackages_latest; 
+    kernelPackages = pkgs.linuxPackages_latest;
     loader.systemd-boot.editor = false;
     loader.systemd-boot.enable = true;
     loader.systemd-boot.configurationLimit = 6;
@@ -85,7 +86,7 @@ in
   };
 
   services.gnome.gnome-keyring.enable = true;
- 
+
   fileSystems."/".options = [ "compress=zstd" ];
   # Filesystem dedup
   services.beesd.filesystems = {
@@ -112,16 +113,15 @@ in
     LC_TIME = "en_DK.UTF-8";
   };
 
-  i18n.supportedLocales = [
-    "en_GB.UTF-8/UTF-8"
-    "nl_NL.UTF-8/UTF-8"
-    "en_DK.UTF-8/UTF-8"
-  ];
+  i18n.supportedLocales =
+    [ "en_GB.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "en_DK.UTF-8/UTF-8" ];
 
   xdg.portal = {
-      enable = true;
-      wlr.enable = true;
+    enable = true;
+    wlr.enable = true;
   };
+
+  services.udisks2.enable = true;
   services.dbus.enable = true;
 
   # Hyprland
@@ -218,7 +218,8 @@ in
     debug = false;
     cue = true;
     control = "sufficient";
-    authFile = "/etc/u2f-mappings"; # use `pamu2fcfg` from `pkgs.pam_u2f` to generate this config
+    authFile =
+      "/etc/u2f-mappings"; # use `pamu2fcfg` from `pkgs.pam_u2f` to generate this config
   };
 
   programs.ssh.startAgent = true;
@@ -228,10 +229,10 @@ in
     HandlePowerKey=suspend
   '';
 
-  services.udev.packages = with pkgs; [ 
+  services.udev.packages = with pkgs; [
     android-udev-rules
     logitech-udev-rules
-    qmk-udev-rules 
+    qmk-udev-rules
     wooting-udev-rules
   ];