feat(machines/storage01): init openbao

Signed-off-by: Elias Coppens <elias@dgnum.eu>
2025-03-09 00:40:36 +01:00 · 2025-03-09 00:40:36 +01:00 · adbbc98d9e
commit adbbc98d9e
parent 5e5dd5202d
3 changed files with 35 additions and 0 deletions
--- a/machines/nixos/storage01/_configuration.nix
+++ b/machines/nixos/storage01/_configuration.nix
@ -23,6 +23,7 @@ lib.extra.mkConfig {
    "peertube"
    "prometheus"
    "redirections"
+    "vault"
    "victorialogs"
    "victoriametrics"
  ];
--- a/machines/nixos/storage01/vault.nix
+++ b/machines/nixos/storage01/vault.nix
@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2025 Elias Coppens <elias.coppens@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+let
+  host = "vault.dgnum.eu";
+  port = 3100;
+  clusterPort = 3101;
+in
+{
+  services.openbao = {
+    enable = true;
+
+    settings = {
+      listener = {
+        tcp.address = "127.0.0.1:${builtins.toString port}";
+        cluster_address = "0.0.0.0:${toString clusterPort}";
+      };
+
+      storage.raft = {
+        path = "/var/lib/raft";
+        node_id = "raft_storage01";
+      };
+
+      cluster_addr = "http://${host}:${toString clusterPort}";
+      api_addr = "https://${host}";
+    };
+  };
+
+  dgn-web.simpleProxies.openbao = {
+    inherit host port;
+  };
+}
--- a/meta/dns.nix
+++ b/meta/dns.nix
@ -110,6 +110,7 @@ let
          "victoria-metrics" # Victoria Metrics
          "videos" # Peertube
          "pub"
+          "vault" # OpenBAO

          # Garage S3
          "*.cdn"