modularized vault config
This commit is contained in:
parent
583dfd549a
commit
c805f4fb69
9 changed files with 120 additions and 104 deletions
|
@ -53,7 +53,7 @@
|
||||||
} @ inputs:
|
} @ inputs:
|
||||||
let
|
let
|
||||||
inherit (nixpkgs) lib;
|
inherit (nixpkgs) lib;
|
||||||
inherit (builtins) filter mapAttrs attrValues concatLists;
|
inherit (builtins) mapAttrs;
|
||||||
|
|
||||||
util = import ./util.nix inputs;
|
util = import ./util.nix inputs;
|
||||||
|
|
||||||
|
|
|
@ -4,5 +4,6 @@
|
||||||
./flood.nix
|
./flood.nix
|
||||||
./unpackerr.nix
|
./unpackerr.nix
|
||||||
./vmagent.nix
|
./vmagent.nix
|
||||||
|
./vault.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
75
nixos/common/modules/vault.nix
Normal file
75
nixos/common/modules/vault.nix
Normal file
|
@ -0,0 +1,75 @@
|
||||||
|
{ config, pkgs, lib, flat_hosts, ... }:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
cfg = config.services.v.vault;
|
||||||
|
hostIP = config.deployment.targetHost;
|
||||||
|
|
||||||
|
vault_hosts =
|
||||||
|
filter ({ tags ? [ ], ip ? "", ... }: (elem "vault" tags) && (ip != hostIP))
|
||||||
|
flat_hosts;
|
||||||
|
cluster_config = concatStrings (map ({ ip, ... }: ''
|
||||||
|
retry_join {
|
||||||
|
leader_api_addr = "http://${ip}:${toString cfg.port}"
|
||||||
|
}
|
||||||
|
'') vault_hosts);
|
||||||
|
in {
|
||||||
|
options.services.v.vault = {
|
||||||
|
enable = mkEnableOption "v.vault";
|
||||||
|
|
||||||
|
node_id = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = ''
|
||||||
|
The cluster node id of this node
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
openFirewall = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
Whether to open port port and clusterPort in the firewall for vault
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
port = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
default = 8200;
|
||||||
|
description = ''
|
||||||
|
The port vault listens on
|
||||||
|
**note:** this has to be the same for all nodes in a cluster
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
clusterPort = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
default = 8201;
|
||||||
|
description = ''
|
||||||
|
The cluster port vault listens on
|
||||||
|
**note:** this has to be the same for all nodes in a cluster
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
networking.firewall.allowedTCPPorts =
|
||||||
|
mkIf cfg.openFirewall [ cfg.port cfg.clusterPort ];
|
||||||
|
|
||||||
|
services.vault = {
|
||||||
|
enable = true;
|
||||||
|
# bin version includes the UI
|
||||||
|
package = pkgs.vault-bin;
|
||||||
|
address = "0.0.0.0:${toString cfg.port}";
|
||||||
|
storageBackend = "raft";
|
||||||
|
storagePath = "/var/lib/vault-raft";
|
||||||
|
storageConfig = ''
|
||||||
|
node_id = "${cfg.node_id}"
|
||||||
|
'' + cluster_config;
|
||||||
|
extraConfig = ''
|
||||||
|
ui = true
|
||||||
|
disable_mlock = true
|
||||||
|
api_addr = "http://${hostIP}:${toString cfg.port}"
|
||||||
|
cluster_addr = "http://${hostIP}:${toString cfg.clusterPort}"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -33,6 +33,7 @@
|
||||||
hostname = "vault-0";
|
hostname = "vault-0";
|
||||||
ip = "192.168.0.103";
|
ip = "192.168.0.103";
|
||||||
mac = "7A:14:15:ED:D1:E6";
|
mac = "7A:14:15:ED:D1:E6";
|
||||||
|
tags = [ "vault" ];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
hostname = "MariaDB";
|
hostname = "MariaDB";
|
||||||
|
|
|
@ -2,11 +2,7 @@
|
||||||
# your system. Help is available in the configuration.nix(5) man page
|
# your system. Help is available in the configuration.nix(5) man page
|
||||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||||
|
|
||||||
{ config, pkgs, hosts, ... }:
|
{ config, pkgs, hosts, ... }: {
|
||||||
let
|
|
||||||
port = 8200;
|
|
||||||
clusterPort = 8201;
|
|
||||||
in {
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||||
|
@ -16,31 +12,9 @@ in {
|
||||||
system.stateVersion = "21.05"; # Did you read the comment?
|
system.stateVersion = "21.05"; # Did you read the comment?
|
||||||
|
|
||||||
# Vault
|
# Vault
|
||||||
networking.firewall.allowedTCPPorts = [ port clusterPort ];
|
services.v.vault = {
|
||||||
|
|
||||||
services.vault = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
# bin version includes the UI
|
openFirewall = true;
|
||||||
package = pkgs.vault-bin;
|
node_id = "hades-1";
|
||||||
address = "0.0.0.0:${toString port}";
|
|
||||||
storageBackend = "raft";
|
|
||||||
storagePath = "/var/lib/vault-raft";
|
|
||||||
storageConfig = ''
|
|
||||||
node_id = "hades-1"
|
|
||||||
|
|
||||||
retry_join {
|
|
||||||
leader_api_addr = "http://10.42.42.30:${toString port}"
|
|
||||||
}
|
|
||||||
|
|
||||||
retry_join {
|
|
||||||
leader_api_addr = "http://10.42.42.6:${toString port}"
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
extraConfig = ''
|
|
||||||
ui = true
|
|
||||||
disable_mlock = true
|
|
||||||
api_addr = "http://192.168.0.103:${toString port}"
|
|
||||||
cluster_addr = "http://192.168.0.103:${toString clusterPort}"
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -30,6 +30,7 @@
|
||||||
ip = "10.42.42.6";
|
ip = "10.42.42.6";
|
||||||
mac = "16:2B:87:55:0C:0C";
|
mac = "16:2B:87:55:0C:0C";
|
||||||
profile = "vault-0";
|
profile = "vault-0";
|
||||||
|
tags = [ "vault" ];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
hostname = "mosquitto";
|
hostname = "mosquitto";
|
||||||
|
@ -155,6 +156,7 @@
|
||||||
ip = "10.42.42.30";
|
ip = "10.42.42.30";
|
||||||
mac = "26:69:0E:7C:B3:79";
|
mac = "26:69:0E:7C:B3:79";
|
||||||
profile = "vault-1";
|
profile = "vault-1";
|
||||||
|
tags = [ "vault" ];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
hostname = "nuc";
|
hostname = "nuc";
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
let
|
let
|
||||||
port = 8200;
|
port = 8200;
|
||||||
clusterPort = 8201;
|
clusterPort = 8201;
|
||||||
|
ip = config.deployment.targetHost;
|
||||||
in {
|
in {
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
|
@ -15,31 +16,10 @@ in {
|
||||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||||
system.stateVersion = "21.05"; # Did you read the comment?
|
system.stateVersion = "21.05"; # Did you read the comment?
|
||||||
|
|
||||||
# Additional packages
|
|
||||||
environment.systemPackages = with pkgs; [ ];
|
|
||||||
|
|
||||||
# Vault
|
# Vault
|
||||||
networking.firewall.allowedTCPPorts = [ port clusterPort ];
|
services.v.vault = {
|
||||||
|
|
||||||
services.vault = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
# bin version includes the UI
|
openFirewall = true;
|
||||||
package = pkgs.vault-bin;
|
node_id = "olympus-1";
|
||||||
address = "0.0.0.0:${toString port}";
|
|
||||||
storageBackend = "raft";
|
|
||||||
storagePath = "/var/lib/vault-raft";
|
|
||||||
storageConfig = ''
|
|
||||||
node_id = "olympus-1"
|
|
||||||
|
|
||||||
retry_join {
|
|
||||||
leader_api_addr = "http://10.42.42.30:${toString port}"
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
extraConfig = ''
|
|
||||||
ui = true
|
|
||||||
disable_mlock = true
|
|
||||||
api_addr = "http://10.42.42.6:${toString port}"
|
|
||||||
cluster_addr = "http://10.42.42.6:${toString clusterPort}"
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,31 +15,13 @@ in {
|
||||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||||
system.stateVersion = "21.05"; # Did you read the comment?
|
system.stateVersion = "21.05"; # Did you read the comment?
|
||||||
|
|
||||||
# Additional packages
|
|
||||||
environment.systemPackages = with pkgs; [ ];
|
|
||||||
|
|
||||||
# Vault
|
# Vault
|
||||||
networking.firewall.allowedTCPPorts = [ port clusterPort ];
|
networking.firewall.allowedTCPPorts = [ port clusterPort ];
|
||||||
|
|
||||||
services.vault = {
|
# Vault
|
||||||
|
services.v.vault = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# bin version includes the UI
|
openFirewall = true;
|
||||||
package = pkgs.vault-bin;
|
node_id = "olympus-2";
|
||||||
address = "0.0.0.0:${toString port}";
|
|
||||||
storageBackend = "raft";
|
|
||||||
storagePath = "/var/lib/vault-raft";
|
|
||||||
storageConfig = ''
|
|
||||||
node_id = "olympus-2"
|
|
||||||
|
|
||||||
retry_join {
|
|
||||||
leader_api_addr = "http://10.42.42.6:${toString port}"
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
extraConfig = ''
|
|
||||||
ui = true
|
|
||||||
disable_mlock = true
|
|
||||||
api_addr = "http://10.42.42.30:${toString port}"
|
|
||||||
cluster_addr = "http://10.42.42.30:${toString clusterPort}"
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -30,10 +30,8 @@ let
|
||||||
|
|
||||||
exec Hyprland
|
exec Hyprland
|
||||||
'';
|
'';
|
||||||
in
|
in {
|
||||||
{
|
imports = [
|
||||||
imports =
|
|
||||||
[
|
|
||||||
# Include the results of the hardware scan.
|
# Include the results of the hardware scan.
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./networking.nix
|
./networking.nix
|
||||||
|
@ -43,9 +41,7 @@ in
|
||||||
home-manager.useGlobalPkgs = true;
|
home-manager.useGlobalPkgs = true;
|
||||||
home-manager.useUserPackages = true;
|
home-manager.useUserPackages = true;
|
||||||
home-manager.users.victor = import ./home;
|
home-manager.users.victor = import ./home;
|
||||||
home-manager.extraSpecialArgs = {
|
home-manager.extraSpecialArgs = { inherit inputs; };
|
||||||
inherit inputs;
|
|
||||||
};
|
|
||||||
|
|
||||||
security.pam.services.swaylock = { };
|
security.pam.services.swaylock = { };
|
||||||
|
|
||||||
|
@ -58,7 +54,10 @@ in
|
||||||
noto-fonts-cjk
|
noto-fonts-cjk
|
||||||
noto-fonts-emoji
|
noto-fonts-emoji
|
||||||
dejavu_fonts
|
dejavu_fonts
|
||||||
(nerdfonts.override { fonts = [ "DejaVuSansMono" "Ubuntu" "DroidSansMono" "NerdFontsSymbolsOnly" ]; })
|
(nerdfonts.override {
|
||||||
|
fonts =
|
||||||
|
[ "DejaVuSansMono" "Ubuntu" "DroidSansMono" "NerdFontsSymbolsOnly" ];
|
||||||
|
})
|
||||||
];
|
];
|
||||||
|
|
||||||
enableDefaultFonts = false;
|
enableDefaultFonts = false;
|
||||||
|
@ -66,8 +65,10 @@ in
|
||||||
fontconfig = {
|
fontconfig = {
|
||||||
defaultFonts = {
|
defaultFonts = {
|
||||||
monospace = [ "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
|
monospace = [ "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
|
||||||
sansSerif = [ "DejaVu Sans" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
|
sansSerif =
|
||||||
serif = [ "DejaVu Serif" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
|
[ "DejaVu Sans" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
|
||||||
|
serif =
|
||||||
|
[ "DejaVu Serif" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
|
||||||
emoji = [ "Noto Color Emoji" ];
|
emoji = [ "Noto Color Emoji" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -112,16 +113,15 @@ in
|
||||||
LC_TIME = "en_DK.UTF-8";
|
LC_TIME = "en_DK.UTF-8";
|
||||||
};
|
};
|
||||||
|
|
||||||
i18n.supportedLocales = [
|
i18n.supportedLocales =
|
||||||
"en_GB.UTF-8/UTF-8"
|
[ "en_GB.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "en_DK.UTF-8/UTF-8" ];
|
||||||
"nl_NL.UTF-8/UTF-8"
|
|
||||||
"en_DK.UTF-8/UTF-8"
|
|
||||||
];
|
|
||||||
|
|
||||||
xdg.portal = {
|
xdg.portal = {
|
||||||
enable = true;
|
enable = true;
|
||||||
wlr.enable = true;
|
wlr.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.udisks2.enable = true;
|
||||||
services.dbus.enable = true;
|
services.dbus.enable = true;
|
||||||
|
|
||||||
# Hyprland
|
# Hyprland
|
||||||
|
@ -218,7 +218,8 @@ in
|
||||||
debug = false;
|
debug = false;
|
||||||
cue = true;
|
cue = true;
|
||||||
control = "sufficient";
|
control = "sufficient";
|
||||||
authFile = "/etc/u2f-mappings"; # use `pamu2fcfg` from `pkgs.pam_u2f` to generate this config
|
authFile =
|
||||||
|
"/etc/u2f-mappings"; # use `pamu2fcfg` from `pkgs.pam_u2f` to generate this config
|
||||||
};
|
};
|
||||||
|
|
||||||
programs.ssh.startAgent = true;
|
programs.ssh.startAgent = true;
|
||||||
|
|
Loading…
Reference in a new issue