From 3e14576e949b8bcb41893fad8d87b706a9be625c Mon Sep 17 00:00:00 2001
From: Elias Coppens <elias@dgnum.eu>
Date: Sun, 9 Mar 2025 00:40:36 +0100
Subject: [PATCH] feat(machines/storage01): init openbao

Signed-off-by: Elias Coppens <elias@dgnum.eu>
---
 machines/nixos/storage01/vault.nix | 45 ++++++++++++++++++++++++++++++
 meta/dns.nix                       |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 machines/nixos/storage01/vault.nix

diff --git a/machines/nixos/storage01/vault.nix b/machines/nixos/storage01/vault.nix
new file mode 100644
index 0000000..f0e740d
--- /dev/null
+++ b/machines/nixos/storage01/vault.nix
@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: 2025 Elias Coppens <elias.coppens@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+_:
+let
+  domain = "vault.dgnum.eu";
+  port = 3100;
+  clusterPort = 3101;
+in
+{
+  config = {
+    services.openbao = {
+      enable = true;
+      address = "127.0.0.1:${toString port}";
+      storageBackend = "raft";
+
+      listenerExtraConfig = ''
+        cluster_address = "0.0.0.0:${toString clusterPort}"
+      '';
+
+      storageConfig = ''
+        path = "/var/lib/raft"
+        node_id = "raft_storage01"
+      '';
+
+      extraConfig = ''
+        cluster_addr = "http://${domain}:${toString clusterPort}"
+        api_addr = "https://${domain}"
+      '';
+    };
+
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      virtualHosts.${domain} = {
+        enableACME = true;
+        forceSSL = true;
+        location."/" = {
+          proxyPass = "http://127.0.0.1:${toString port}";
+        };
+      };
+    };
+  };
+}
diff --git a/meta/dns.nix b/meta/dns.nix
index 3161e18..46c5796 100644
--- a/meta/dns.nix
+++ b/meta/dns.nix
@@ -105,6 +105,7 @@ let
           "victoria-metrics" # Victoria Metrics
           "videos" # Peertube
           "pub"
+          "vault" # OpenBAO
 
           # Garage S3
           "*.cdn"