infra/services/vault/default.nix
Raito Bezarius 436882c3eb fix(services/vault): proxy pass to the local vault server web port
Oopsie, forgot that commit.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:11 +01:00

72 lines
1.8 KiB
Nix

{ config, lib, ... }:
let
cfg = config.bagel.services.vault;
inherit (lib) mkEnableOption mkOption mkIf concatStringsSep types;
mkPeerNode = fqdn: ''
retry_join {
leader_api_addr = "https://${fqdn}"
leader_tls_servername = "${fqdn}"
}
'';
wanAddress = if config.bagel.infra.self.wan.family == "inet6" then "[${config.bagel.infra.self.wan.address}]" else "${config.bagel.infra.self.wan.address}";
in
{
options.bagel.services.vault = {
enable = mkEnableOption "the OpenBao (Vault fork) service";
domain = mkOption {
type = types.str;
default = config.networking.fqdn;
defaultText = "config.networking.fqdn";
example = "vault.infra.forkos.org";
};
peers = mkOption {
type = types.listOf types.str;
default = [ ];
description = "List of FQDN that are peers of this service";
};
};
imports = [
./module.nix
];
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [
# NGINX HTTP API access
80
443
# mTLS backed cluster port
8201
];
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts."${cfg.domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8200";
};
};
};
services.openbao = {
enable = true;
storageBackend = "raft";
listenerExtraConfig = ''
cluster_address = "${wanAddress}:8201"
'';
storageConfig = ''
node_id = "${config.networking.fqdn}"
# Other nodes of the cluster.
${concatStringsSep "\n" (map mkPeerNode cfg.peers)}
'';
extraConfig = ''
cluster_addr = "http://${config.networking.fqdn}:8201"
api_addr = "https://${config.networking.fqdn}"
'';
};
};
}