modularized vault config
This commit is contained in:
parent
583dfd549a
commit
c805f4fb69
|
@ -53,7 +53,7 @@
|
|||
} @ inputs:
|
||||
let
|
||||
inherit (nixpkgs) lib;
|
||||
inherit (builtins) filter mapAttrs attrValues concatLists;
|
||||
inherit (builtins) mapAttrs;
|
||||
|
||||
util = import ./util.nix inputs;
|
||||
|
||||
|
|
|
@ -4,5 +4,6 @@
|
|||
./flood.nix
|
||||
./unpackerr.nix
|
||||
./vmagent.nix
|
||||
./vault.nix
|
||||
];
|
||||
}
|
||||
|
|
75
nixos/common/modules/vault.nix
Normal file
75
nixos/common/modules/vault.nix
Normal file
|
@ -0,0 +1,75 @@
|
|||
{ config, pkgs, lib, flat_hosts, ... }:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.services.v.vault;
|
||||
hostIP = config.deployment.targetHost;
|
||||
|
||||
vault_hosts =
|
||||
filter ({ tags ? [ ], ip ? "", ... }: (elem "vault" tags) && (ip != hostIP))
|
||||
flat_hosts;
|
||||
cluster_config = concatStrings (map ({ ip, ... }: ''
|
||||
retry_join {
|
||||
leader_api_addr = "http://${ip}:${toString cfg.port}"
|
||||
}
|
||||
'') vault_hosts);
|
||||
in {
|
||||
options.services.v.vault = {
|
||||
enable = mkEnableOption "v.vault";
|
||||
|
||||
node_id = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The cluster node id of this node
|
||||
'';
|
||||
};
|
||||
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to open port port and clusterPort in the firewall for vault
|
||||
'';
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.int;
|
||||
default = 8200;
|
||||
description = ''
|
||||
The port vault listens on
|
||||
**note:** this has to be the same for all nodes in a cluster
|
||||
'';
|
||||
};
|
||||
|
||||
clusterPort = mkOption {
|
||||
type = types.int;
|
||||
default = 8201;
|
||||
description = ''
|
||||
The cluster port vault listens on
|
||||
**note:** this has to be the same for all nodes in a cluster
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
networking.firewall.allowedTCPPorts =
|
||||
mkIf cfg.openFirewall [ cfg.port cfg.clusterPort ];
|
||||
|
||||
services.vault = {
|
||||
enable = true;
|
||||
# bin version includes the UI
|
||||
package = pkgs.vault-bin;
|
||||
address = "0.0.0.0:${toString cfg.port}";
|
||||
storageBackend = "raft";
|
||||
storagePath = "/var/lib/vault-raft";
|
||||
storageConfig = ''
|
||||
node_id = "${cfg.node_id}"
|
||||
'' + cluster_config;
|
||||
extraConfig = ''
|
||||
ui = true
|
||||
disable_mlock = true
|
||||
api_addr = "http://${hostIP}:${toString cfg.port}"
|
||||
cluster_addr = "http://${hostIP}:${toString cfg.clusterPort}"
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -33,6 +33,7 @@
|
|||
hostname = "vault-0";
|
||||
ip = "192.168.0.103";
|
||||
mac = "7A:14:15:ED:D1:E6";
|
||||
tags = [ "vault" ];
|
||||
}
|
||||
{
|
||||
hostname = "MariaDB";
|
||||
|
|
|
@ -2,11 +2,7 @@
|
|||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, hosts, ... }:
|
||||
let
|
||||
port = 8200;
|
||||
clusterPort = 8201;
|
||||
in {
|
||||
{ config, pkgs, hosts, ... }: {
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
|
@ -16,31 +12,9 @@ in {
|
|||
system.stateVersion = "21.05"; # Did you read the comment?
|
||||
|
||||
# Vault
|
||||
networking.firewall.allowedTCPPorts = [ port clusterPort ];
|
||||
|
||||
services.vault = {
|
||||
services.v.vault = {
|
||||
enable = true;
|
||||
# bin version includes the UI
|
||||
package = pkgs.vault-bin;
|
||||
address = "0.0.0.0:${toString port}";
|
||||
storageBackend = "raft";
|
||||
storagePath = "/var/lib/vault-raft";
|
||||
storageConfig = ''
|
||||
node_id = "hades-1"
|
||||
|
||||
retry_join {
|
||||
leader_api_addr = "http://10.42.42.30:${toString port}"
|
||||
}
|
||||
|
||||
retry_join {
|
||||
leader_api_addr = "http://10.42.42.6:${toString port}"
|
||||
}
|
||||
'';
|
||||
extraConfig = ''
|
||||
ui = true
|
||||
disable_mlock = true
|
||||
api_addr = "http://192.168.0.103:${toString port}"
|
||||
cluster_addr = "http://192.168.0.103:${toString clusterPort}"
|
||||
'';
|
||||
openFirewall = true;
|
||||
node_id = "hades-1";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -30,6 +30,7 @@
|
|||
ip = "10.42.42.6";
|
||||
mac = "16:2B:87:55:0C:0C";
|
||||
profile = "vault-0";
|
||||
tags = [ "vault" ];
|
||||
}
|
||||
{
|
||||
hostname = "mosquitto";
|
||||
|
@ -155,6 +156,7 @@
|
|||
ip = "10.42.42.30";
|
||||
mac = "26:69:0E:7C:B3:79";
|
||||
profile = "vault-1";
|
||||
tags = [ "vault" ];
|
||||
}
|
||||
{
|
||||
hostname = "nuc";
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
let
|
||||
port = 8200;
|
||||
clusterPort = 8201;
|
||||
ip = config.deployment.targetHost;
|
||||
in {
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
|
@ -15,31 +16,10 @@ in {
|
|||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "21.05"; # Did you read the comment?
|
||||
|
||||
# Additional packages
|
||||
environment.systemPackages = with pkgs; [ ];
|
||||
|
||||
# Vault
|
||||
networking.firewall.allowedTCPPorts = [ port clusterPort ];
|
||||
|
||||
services.vault = {
|
||||
services.v.vault = {
|
||||
enable = true;
|
||||
# bin version includes the UI
|
||||
package = pkgs.vault-bin;
|
||||
address = "0.0.0.0:${toString port}";
|
||||
storageBackend = "raft";
|
||||
storagePath = "/var/lib/vault-raft";
|
||||
storageConfig = ''
|
||||
node_id = "olympus-1"
|
||||
|
||||
retry_join {
|
||||
leader_api_addr = "http://10.42.42.30:${toString port}"
|
||||
}
|
||||
'';
|
||||
extraConfig = ''
|
||||
ui = true
|
||||
disable_mlock = true
|
||||
api_addr = "http://10.42.42.6:${toString port}"
|
||||
cluster_addr = "http://10.42.42.6:${toString clusterPort}"
|
||||
'';
|
||||
openFirewall = true;
|
||||
node_id = "olympus-1";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -15,31 +15,13 @@ in {
|
|||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "21.05"; # Did you read the comment?
|
||||
|
||||
# Additional packages
|
||||
environment.systemPackages = with pkgs; [ ];
|
||||
|
||||
# Vault
|
||||
networking.firewall.allowedTCPPorts = [ port clusterPort ];
|
||||
|
||||
services.vault = {
|
||||
# Vault
|
||||
services.v.vault = {
|
||||
enable = true;
|
||||
# bin version includes the UI
|
||||
package = pkgs.vault-bin;
|
||||
address = "0.0.0.0:${toString port}";
|
||||
storageBackend = "raft";
|
||||
storagePath = "/var/lib/vault-raft";
|
||||
storageConfig = ''
|
||||
node_id = "olympus-2"
|
||||
|
||||
retry_join {
|
||||
leader_api_addr = "http://10.42.42.6:${toString port}"
|
||||
}
|
||||
'';
|
||||
extraConfig = ''
|
||||
ui = true
|
||||
disable_mlock = true
|
||||
api_addr = "http://10.42.42.30:${toString port}"
|
||||
cluster_addr = "http://10.42.42.30:${toString clusterPort}"
|
||||
'';
|
||||
openFirewall = true;
|
||||
node_id = "olympus-2";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -30,22 +30,18 @@ let
|
|||
|
||||
exec Hyprland
|
||||
'';
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./networking.nix
|
||||
];
|
||||
in {
|
||||
imports = [
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./networking.nix
|
||||
];
|
||||
|
||||
# home-manager
|
||||
home-manager.useGlobalPkgs = true;
|
||||
home-manager.useUserPackages = true;
|
||||
home-manager.users.victor = import ./home;
|
||||
home-manager.extraSpecialArgs = {
|
||||
inherit inputs;
|
||||
};
|
||||
home-manager.extraSpecialArgs = { inherit inputs; };
|
||||
|
||||
security.pam.services.swaylock = { };
|
||||
|
||||
|
@ -58,7 +54,10 @@ in
|
|||
noto-fonts-cjk
|
||||
noto-fonts-emoji
|
||||
dejavu_fonts
|
||||
(nerdfonts.override { fonts = [ "DejaVuSansMono" "Ubuntu" "DroidSansMono" "NerdFontsSymbolsOnly" ]; })
|
||||
(nerdfonts.override {
|
||||
fonts =
|
||||
[ "DejaVuSansMono" "Ubuntu" "DroidSansMono" "NerdFontsSymbolsOnly" ];
|
||||
})
|
||||
];
|
||||
|
||||
enableDefaultFonts = false;
|
||||
|
@ -66,8 +65,10 @@ in
|
|||
fontconfig = {
|
||||
defaultFonts = {
|
||||
monospace = [ "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
|
||||
sansSerif = [ "DejaVu Sans" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
|
||||
serif = [ "DejaVu Serif" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
|
||||
sansSerif =
|
||||
[ "DejaVu Sans" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
|
||||
serif =
|
||||
[ "DejaVu Serif" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ];
|
||||
emoji = [ "Noto Color Emoji" ];
|
||||
};
|
||||
};
|
||||
|
@ -112,16 +113,15 @@ in
|
|||
LC_TIME = "en_DK.UTF-8";
|
||||
};
|
||||
|
||||
i18n.supportedLocales = [
|
||||
"en_GB.UTF-8/UTF-8"
|
||||
"nl_NL.UTF-8/UTF-8"
|
||||
"en_DK.UTF-8/UTF-8"
|
||||
];
|
||||
i18n.supportedLocales =
|
||||
[ "en_GB.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "en_DK.UTF-8/UTF-8" ];
|
||||
|
||||
xdg.portal = {
|
||||
enable = true;
|
||||
wlr.enable = true;
|
||||
enable = true;
|
||||
wlr.enable = true;
|
||||
};
|
||||
|
||||
services.udisks2.enable = true;
|
||||
services.dbus.enable = true;
|
||||
|
||||
# Hyprland
|
||||
|
@ -218,7 +218,8 @@ in
|
|||
debug = false;
|
||||
cue = true;
|
||||
control = "sufficient";
|
||||
authFile = "/etc/u2f-mappings"; # use `pamu2fcfg` from `pkgs.pam_u2f` to generate this config
|
||||
authFile =
|
||||
"/etc/u2f-mappings"; # use `pamu2fcfg` from `pkgs.pam_u2f` to generate this config
|
||||
};
|
||||
|
||||
programs.ssh.startAgent = true;
|
||||
|
|
Loading…
Reference in a new issue