K3s did not work, add vault

2022-05-20 23:57:58 +02:00 · 2022-05-20 23:57:58 +02:00 · 3caf4d3f10
parent e0a07970d6
commit 3caf4d3f10
4 changed files with 46 additions and 5 deletions
--- a/nixos/flake.nix
+++ b/nixos/flake.nix
@ -70,13 +70,21 @@
          };
        };

-        k3s = {
-          imports = [ ./machines/k3s ];
+        vault = {
+          imports = [ ./machines/vault ];
          deployment = {
-            targetHost = "k3s.lxd";
-            tags = [ "k3s" ];
+            targetHost = "vault.lxd";
+            tags = [ "website" "system" ];
          };
        };
+
+        # k3s = {
+        #   imports = [ ./machines/k3s ];
+        #   deployment = {
+        #     targetHost = "k3s.lxd";
+        #     tags = [ "k3s" ];
+        #   };
+        # };
      };

      devShells.x86_64-linux.default = pkgs.mkShell {
--- a/nixos/machines/nginx/default.nix
+++ b/nixos/machines/nginx/default.nix
@ -26,6 +26,15 @@
        proxyWebsockets = true;
      };
    };
+    virtualHosts."vault.asraphiel.dev" = {
+      forceSSL = true;
+      enableACME = true;
+      http2 = true;
+      locations."/" = {
+        proxyPass = "http://vault.lxd:8200/";
+        proxyWebsockets = true;
+      };
+    };
  };
  security.acme.email = "acme@voidcorp.nl";
  security.acme.acceptTerms = true;
--- a/nixos/machines/postgres/default.nix
+++ b/nixos/machines/postgres/default.nix
@ -17,12 +17,17 @@
      host all all 10.0.0.0/8 trust
      host all all fd42:14c:5baf:51ec:216:3eff:fe6e:32a7/96 trust
    '';
-    ensureDatabases = [ "gitea" ];
+    ensureDatabases = [ "gitea" "vault" ];
    ensureUsers = [
      {
        name = "gitea";
        ensurePermissions = { "DATABASE \"gitea\"" = "ALL PRIVILEGES"; };
      }
+
+      {
+        name = "vault";
+        ensurePermissions = { "DATABASE \"vault\"" = "ALL PRIVILEGES"; };
+      }
    ];

    enableTCPIP = true;
--- a/nixos/machines/vault/default.nix
+++ b/nixos/machines/vault/default.nix
@ -0,0 +1,19 @@
+{ config, pkgs, ... }: {
+  imports = [ ../../common ../../common/lxc.nix ];
+  networking.hostName = "vault";
+  system.stateVersion = "21.11";
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ 8200 ];
+  services.vault = {
+    enable = true;
+    address = "0.0.0.0:8200";
+    storageBackend = "postgresql";
+    storageConfig = ''
+      connection_url = "postgres://vault:x@postgres.lxd:5432/vault?sslmode=disable"
+    '';
+    extraConfig = ''
+      ui = true
+      disable_mlock = true
+    '';
+  };
+}