add hashicorp vault

machines/Home-Hypervisor/default.nix

@@ -31,6 +31,7 @@ in {
     customProfiles.radicale
     customProfiles.spdf
     customProfiles.tinyproxy
+    customProfiles.vault
     customProfiles.vaultwarden
     customProfiles.vscode-server
     customProfiles.webhooks
@@ -146,6 +147,8 @@ in {
     127.0.0.1 code.ataraxiadev.com
     127.0.0.1 cache.ataraxiadev.com
     127.0.0.1 s3.ataraxiadev.com
+    127.0.0.1 wg.ataraxiadev.com
+    127.0.0.1 vault.ataraxiadev.com
   '';
 
   nix.optimise.automatic = false;

machines/Home-Hypervisor/dns-mapping.nix

@@ -28,6 +28,7 @@
     { name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
     { name = "tools.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
+    { name = "vault.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "wiki.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
 
@@ -59,6 +60,7 @@
     { name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
     { name = "tools.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
+    { name = "vault.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "wiki.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
   ];
@@ -92,6 +94,7 @@
     "/s3.ataraxiadev.com/192.168.0.10"
     "/sonarr.ataraxiadev.com/192.168.0.10"
     "/tools.ataraxiadev.com/192.168.0.10"
+    "/vault.ataraxiadev.com/192.168.0.10"
     "/vw.ataraxiadev.com/192.168.0.10"
     "/wiki.ataraxiadev.com/192.168.0.10"
   ];

profiles/servers/nginx.nix

@@ -88,6 +88,7 @@ in {
         "sonarr.ataraxiadev.com"
         # "startpage.ataraxiadev.com"
         "tools.ataraxiadev.com"
+        "vault.ataraxiadev.com"
         "vw.ataraxiadev.com"
         "wg.ataraxiadev.com"
         "wiki.ataraxiadev.com"
@@ -297,6 +298,12 @@ in {
       "tools.ataraxiadev.com" = default // authentik {
         proxyPass = "http://127.0.0.1:8070";
       };
+      "vault.ataraxiadev.com" = {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8200";
+          extraConfig = proxySettings;
+        };
+      } // default;
       "vw.ataraxiadev.com" = {
         locations."/" = {
           proxyPass = "http://127.0.0.1:8812";

profiles/servers/vault.nix

@@ -0,0 +1,41 @@
+{ config, pkgs, inputs, ... }:
+let
+  api-addr = "http://127.0.0.1:8200";
+in {
+  environment.systemPackages = [ config.services.vault.package ];
+  services.vault = {
+    enable = true;
+    package = pkgs.vault-bin;
+    address = "127.0.0.1:8200";
+    storageBackend = "raft";
+    storageConfig = ''
+      node_id = "main_node"
+    '';
+    extraConfig = ''
+      disable_cache = true
+      api_addr = "${api-addr}"
+      cluster_addr = "https://127.0.0.1:8201"
+      ui = true
+    '';
+  };
+
+  sops.secrets.vault-key1.sopsFile = inputs.self.secretsDir + /home-hypervisor/vault.yaml;
+  sops.secrets.vault-key2.sopsFile = inputs.self.secretsDir + /home-hypervisor/vault.yaml;
+  sops.secrets.vault-key3.sopsFile = inputs.self.secretsDir + /home-hypervisor/vault.yaml;
+  systemd.services.vault-unseal = {
+    partOf = [ "vault.service" ];
+    after = [ "vault.service" ];
+    path = [ pkgs.curl ];
+    script = ''
+      KEY1=$(head -n1 ${config.sops.secrets.vault-key1.path})
+      KEY2=$(head -n1 ${config.sops.secrets.vault-key2.path})
+      KEY3=$(head -n1 ${config.sops.secrets.vault-key3.path})
+      curl -H "Content-Type: application/json" --data "{\"key\":\"$KEY1\"}" ${api-addr}/v1/sys/unseal >/dev/null 2>&1
+      curl -H "Content-Type: application/json" --data "{\"key\":\"$KEY2\"}" ${api-addr}/v1/sys/unseal >/dev/null 2>&1
+      curl -H "Content-Type: application/json" --data "{\"key\":\"$KEY3\"}" ${api-addr}/v1/sys/unseal >/dev/null 2>&1
+    '';
+    serviceConfig.Type = "oneshot";
+  };
+
+  persist.state.directories = [ config.services.vault.storagePath ];
+}

secrets/home-hypervisor/vault.yaml

@@ -0,0 +1,52 @@
+vault-root-token: ENC[AES256_GCM,data:xJa+HRfScyRw+mSWbJcNjxYKkF46CUUzDn+UCw==,iv:JRZMKgJlPFhINy+BXaFemM9Reju6zi/Ca4r7LXRfqR8=,tag:5pQ1YuJW2qc5K1ShK8zoIw==,type:str]
+vault-key1: ENC[AES256_GCM,data:aKTeYtHrDY2cIq6YvD7+d6hpRsGEt1EeBYql/vISESdFmoHwXfgBo8WrD94=,iv:Cw3UbYee9P1mXWUThZuxjB2+ZukBBA0hrUH+3ZwhQr4=,tag:SkDegygx5EGoVDtwpyTpkg==,type:str]
+vault-key2: ENC[AES256_GCM,data:aYXhjVBfDKKXGHxtxhX2N8rgPJcImhdPun9a905abeJ6YwnX8jHUZ5mo7d4=,iv:vtrtk2AM7cXDId0W3vRKiVR1evMkqh7ui0svOUtlAoo=,tag:GbpEXXX35JTUpdBFb6bPrg==,type:str]
+vault-key3: ENC[AES256_GCM,data:iwWfxfjP+A6XQzzEHCel8NoTKMEAysDXeDeTouQ4qvZMzizUkN+Vhtf9DkM=,iv:yGs2h6GzQBzSAdFzGJTMCtHpYltsHtpox8kgrjo4r2s=,tag:m/mJrFhWKclVp20oPlNnOg==,type:str]
+vault-key4: ENC[AES256_GCM,data:ONdi4oTOaxzcjcgJFhF05CHKMF4U1vBfYbdinB8yjc+7DDpllj/qKVhl9+c=,iv:xHG3kgLzsQvfWsU/Wk+G+ktm/6HamyLcBztPlCHVH7o=,tag:hx9giqs2/VYFNXZLEGjMnA==,type:str]
+vault-key5: ENC[AES256_GCM,data:sKABkAuvMhfsWSJNMvA5A0Up3z9vTf+uu9Aa4U+wftNYwWU9cHAr5N5WQLE=,iv:jQXhCLNrKhy369YSp9SaCOULB077tGLxBBJZ4917+nA=,tag:VW68/IwNZzE5+WmLVdXoPw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-01-25T12:12:55Z"
+    mac: ENC[AES256_GCM,data:TcXRBSKkI4BfXPEdRsxD/4bMT5ZF4miDclcXfhbqeikrmcbv3Lc8Zi/HVXro2hFIa91AvHoTb66KaIeVLLPsKOLmrOSRlyNNZafAKy9/STYftFQIsSUuT9LJDRvcuOyNAj2Knz0zCwPoD21tQro3n5CEvFreivNtXwYtX0wgLMo=,iv:/V3Dm3wAKB3GeqK/1hJJQ+L7d0FCoocY1Dgvz+y0mWY=,tag:YUZXSpewamAwiLViBI6lug==,type:str]
+    pgp:
+        - created_at: "2024-01-25T12:11:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMAwcagTG/Fm6AAQf/Wma1t/7viv8+ghjH9TE3YUcZXHtJaan4T0gHXvkCEGT4
+            HEIyNnxGNXjMbSfVyQvBeXuHF1DamYZgocOqPa5QegdcI9eQb9ynLYU3anDlcJDn
+            Edw5b3u0LL+L8f78p1ydV0lJA0jxLP7rgv05rkmTjWfheajuFFotXY4+GfxnDX25
+            WGJBnSZSIBUriNcSN27m/w3lJarkcc1f6xlIigd6rfhLLVunXaI3UxXzuiKGKt/e
+            gioUN1R8TENiw7kXAyS4vUp2+WA1qkslZHpwoeOOtMqpL0QBwsVapY/gBvzyTIcl
+            buooeN41eL+sEU7Lq80MTrKSLTDKdt1Y7eDIHh+Y69JYAVXd+G6EgCsgVbDwqw+n
+            G+1xXbCzpRCAR9J5BOJEK3oIykGfs4pCVVQiYi38XF//6KkmE7oi6EQDDmDFMsl6
+            Va8+aG3HscTU17rK1PD5yjBLLmtb2kOn4g==
+            =2uEF
+            -----END PGP MESSAGE-----
+          fp: ad382d058c964607b7bbf01b071a8131bf166e80
+        - created_at: "2024-01-25T12:11:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA187ia82lSDGAQ/+NmiXHMKjuN3rVLKhttuYUo55voVcR/HyPDlwuV4NQjms
+            91axlTq67cOKdlR31prwpthEF2OqpDlO2vIXK+040Vz0qISDcB+LSolsixj2RWml
+            v+3liQIFcbDkIrCulMPcnYmLAo09yI2648w98LEJwuX8n8OsnLPdKcgw0emj97CX
+            FDydoFCz+ETLBaLAyeYJfFV/uDsj96rt4ZRhdCqWfNTs+ivEDdBHIUjKH6/5+Xjw
+            9GtBw7oZN/pB1iSBrKDCbiDOcLBXgSh4gGoL+p8g3qPGDTN2M8GDicvV5SAgK9UH
+            1OZphbSxVVh5GGcuFQWnfFVW80p+dYwQLYhwo9euDEUtKaYy6M9JswjV4P625hcQ
+            umg9vZ/z0amN2NLV4YVq0LiPor0vk2PhPiTiSR3YcgqdYJONaFrE8LzGTkbSRPvE
+            mWbFNfGQcZ6Xk6BHK3P0EEpp8hiO/fmL9+8CaA5t9Jr+8q1xl/nMcjNpmB0boZZn
+            i9/If9WT+HgrrGR1EhKZUs4VckqvCNTticIBt1M9cmQ9grjEw4MMAfcgLoZhDewe
+            5LY3rMhzSeuVs+ZdyCio53DICxMwdLLn+24iESneWKDYCCkrlQUwsF3XTjpdtabI
+            cDufLlFeV6enm7Q/VNIr7iQTeWLcvvhwMehO+hdDCtRYoDH55QywWT9yscKShwbS
+            WAG+2G8B4LDHtD/SdLR5oQkZDc0IXFR3y1f9SHAddUcp2UFS6WanSbEc1Y+s6Ohu
+            Ki8t+C8UsKByaDLlglUv2MUjRSF1Gl5u1T7zCufJl27gbRKbEFYJcF4=
+            =dsp4
+            -----END PGP MESSAGE-----
+          fp: a32018133c7afbfd05d5b2795f3b89af369520c6
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1