move vault to host

2024-07-21 20:40:28 +01:00 · 2024-07-21 20:40:28 +01:00 · 4794ef08b8
parent 7aecdd08e9
commit 4794ef08b8
8 changed files with 45 additions and 133 deletions
--- a/hosts/hetzner-arm/containers/vault/default.nix
+++ b/hosts/hetzner-arm/containers/vault/default.nix
@ -1,55 +0,0 @@
-{
-  self,
-  hostPath,
-  tree,
-  inputs,
-  config,
-  pkgs,
-  ...
-}: let
-  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
-  hostIP = containerAddresses.host;
-  containerIP = containerAddresses.containers.vault;
-in {
-  containers.vault = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = hostIP;
-    localAddress = containerIP;
-    additionalCapabilities = ["CAP_IPC_LOCK"];
-
-    specialArgs = {
-      inherit inputs;
-      inherit tree;
-      inherit self;
-      inherit hostPath;
-    };
-
-    config = {...}: {
-      nixpkgs.pkgs = pkgs;
-
-      imports = with tree;
-        [
-          presets.nixos.containerBase
-          ./secrets.nix
-        ]
-        ++ (with hosts.hetzner-arm.containers.vault.profiles; [
-          vault
-          restic
-        ]);
-
-      networking.firewall.allowedTCPPorts = [8200 8443];
-
-      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "24.05";
-    };
-  };
-
-  services.nginx.virtualHosts."vault.owo.monster" = {
-    forceSSL = true;
-    enableACME = true;
-    locations = {
-      "/".proxyPass = "http://${containerIP}:8200";
-    };
-  };
-}
--- a/hosts/hetzner-arm/containers/vault/profiles/restic.nix
+++ b/hosts/hetzner-arm/containers/vault/profiles/restic.nix
@ -1,21 +0,0 @@
-{
-  self,
-  config,
-  ...
-}: let
-  backupSchedules = import "${self}/data/backupSchedules.nix";
-  inherit (config.services.secrets) secrets;
-in {
-  services.restic.backups.vault = {
-    user = "root";
-    paths = [
-      "/var/lib/vault"
-    ];
-    timerConfig = backupSchedules.restic.high;
-
-    repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/Vault";
-    passwordFile = "${secrets.restic_password.path}";
-    environmentFile = "${secrets.restic_env.path}";
-    createWrapper = true;
-  };
-}
--- a/hosts/hetzner-arm/containers/vault/profiles/vault.nix
+++ b/hosts/hetzner-arm/containers/vault/profiles/vault.nix
@ -1,12 +0,0 @@
-{pkgs, ...}: {
-  environment.systemPackages = with pkgs; [vault];
-  services.vault = {
-    enable = true;
-    package = pkgs.vault-bin;
-    address = "0.0.0.0:8200";
-    storageBackend = "file";
-    extraConfig = ''
-      ui = true
-    '';
-  };
-}
--- a/hosts/hetzner-arm/containers/vault/secrets.nix
+++ b/hosts/hetzner-arm/containers/vault/secrets.nix
@ -1,40 +0,0 @@
-{pkgs, ...}: {
-  services.secrets = {
-    enable = true;
-
-    packages = with pkgs; [
-      apacheHttpd
-    ];
-
-    vaultLogin = {
-      enable = true;
-      loginUsername = "hetzner-arm-container-vault";
-    };
-
-    requiredVaultPaths = [
-      "private-public-keys/data/restic/Vault"
-
-      "api-keys/data/backblaze/Chaos-Backups"
-    ];
-
-    secrets = {
-      vault_password = {
-        manual = true;
-      };
-
-      restic_password = {
-        fetchScript = ''
-          simple_get "/private-public-keys/restic/Vault" .password > "$secretFile"
-        '';
-      };
-      restic_env = {
-        fetchScript = ''
-          cat << EOF > "$secretFile"
-          AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID)
-          AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey)
-          EOF
-        '';
-      };
-    };
-  };
-}
--- a/hosts/hetzner-arm/profiles/gotosocial.nix
+++ b/hosts/hetzner-arm/profiles/gotosocial.nix
@ -1,8 +1,4 @@
-{
-  hostPath,
-  config,
-  ...
-}: let
+{config, ...}: let
  inherit (config.services.secrets) secrets;
 in {
  services.gotosocial = {
--- a/hosts/hetzner-arm/profiles/restic.nix
+++ b/hosts/hetzner-arm/profiles/restic.nix
@ -97,5 +97,18 @@ in {
      pruneOpts = ["--keep-last 50"];
      timerConfig = backupSchedules.restic.high;
    };
+    vault = {
+      user = "root";
+      paths = [
+        "/var/lib/vault"
+      ];
+
+      repository = "${repoRoot}/Vault";
+      environmentFile = secrets.restic_backups_env.path;
+      passwordFile = secrets.restic_password_vault.path;
+      createWrapper = true;
+
+      timerConfig = backupSchedules.restic.high;
+    };
  };
 }
--- a/hosts/hetzner-arm/profiles/vault.nix
+++ b/hosts/hetzner-arm/profiles/vault.nix
@ -0,0 +1,23 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    vault
+  ];
+
+  services.vault = {
+    enable = true;
+    package = pkgs.vault-bin;
+    address = "127.0.0.1:8200";
+    storageBackend = "file";
+    extraConfig = ''
+      ui = true
+    '';
+  };
+
+  services.nginx.virtualHosts."vault.owo.monster" = {
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      "/".proxyPass = "http://127.0.0.1:8200";
+    };
+  };
+}
--- a/hosts/hetzner-arm/secrets.nix
+++ b/hosts/hetzner-arm/secrets.nix
@ -27,6 +27,8 @@

      "api-keys/data/radicale"
      "private-public-keys/data/restic/Radicale"
+
+      "private-public-keys/data/restic/Vault"
    ];

    secrets = {
@ -132,6 +134,12 @@
          simple_get "/private-public-keys/restic/Radicale" .password > "$secretFile"
        '';
      };
+
+      restic_password_vault = {
+        fetchScript = ''
+          simple_get "/private-public-keys/restic/Vault" .password > "$secretFile"
+        '';
+      };
    };
  };
 }