Raito Bezarius
436882c3eb
Oopsie, forgot that commit. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
72 lines
1.8 KiB
Nix
72 lines
1.8 KiB
Nix
{ config, lib, ... }:
|
|
let
|
|
cfg = config.bagel.services.vault;
|
|
inherit (lib) mkEnableOption mkOption mkIf concatStringsSep types;
|
|
mkPeerNode = fqdn: ''
|
|
retry_join {
|
|
leader_api_addr = "https://${fqdn}"
|
|
leader_tls_servername = "${fqdn}"
|
|
}
|
|
'';
|
|
wanAddress = if config.bagel.infra.self.wan.family == "inet6" then "[${config.bagel.infra.self.wan.address}]" else "${config.bagel.infra.self.wan.address}";
|
|
in
|
|
{
|
|
options.bagel.services.vault = {
|
|
enable = mkEnableOption "the OpenBao (Vault fork) service";
|
|
domain = mkOption {
|
|
type = types.str;
|
|
default = config.networking.fqdn;
|
|
defaultText = "config.networking.fqdn";
|
|
example = "vault.infra.forkos.org";
|
|
};
|
|
peers = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [ ];
|
|
description = "List of FQDN that are peers of this service";
|
|
};
|
|
};
|
|
|
|
imports = [
|
|
./module.nix
|
|
];
|
|
|
|
config = mkIf cfg.enable {
|
|
networking.firewall.allowedTCPPorts = [
|
|
# NGINX HTTP API access
|
|
80
|
|
443
|
|
# mTLS backed cluster port
|
|
8201
|
|
];
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
virtualHosts."${cfg.domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:8200";
|
|
};
|
|
};
|
|
};
|
|
|
|
services.openbao = {
|
|
enable = true;
|
|
storageBackend = "raft";
|
|
listenerExtraConfig = ''
|
|
cluster_address = "${wanAddress}:8201"
|
|
'';
|
|
storageConfig = ''
|
|
node_id = "${config.networking.fqdn}"
|
|
|
|
# Other nodes of the cluster.
|
|
${concatStringsSep "\n" (map mkPeerNode cfg.peers)}
|
|
'';
|
|
extraConfig = ''
|
|
cluster_addr = "http://${config.networking.fqdn}:8201"
|
|
api_addr = "https://${config.networking.fqdn}"
|
|
'';
|
|
};
|
|
};
|
|
}
|