From 6c8f89cd50c50efb7a020075302c1ee742f44b5b Mon Sep 17 00:00:00 2001
From: Joseph Hanson <joe@veri.dev>
Date: Tue, 10 Sep 2024 13:43:35 -0500
Subject: [PATCH] add hashicorp vault

---
 .envrc                                        |  1 +
 nixos/home/jahanson/workstation.nix           |  1 +
 nixos/hosts/telchar/default.nix               | 10 ++++++++
 nixos/modules/nixos/services/default.nix      |  1 +
 .../modules/nixos/services/vault/default.nix  | 25 +++++++++++++++++++
 5 files changed, 38 insertions(+)
 create mode 100644 nixos/modules/nixos/services/vault/default.nix

diff --git a/.envrc b/.envrc
index 51f921a..4be98d3 100644
--- a/.envrc
+++ b/.envrc
@@ -1,2 +1,3 @@
 use nix
 export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
+export VAULT_ADDR="http://10.1.1.61:8200"
diff --git a/nixos/home/jahanson/workstation.nix b/nixos/home/jahanson/workstation.nix
index d8b67b4..1de44ff 100644
--- a/nixos/home/jahanson/workstation.nix
+++ b/nixos/home/jahanson/workstation.nix
@@ -52,6 +52,7 @@ with config;
         unstable.talosctl
         unstable.telegram-desktop
         unstable.tidal-hifi
+        unstable.vault
         vlc
 
         # cli
diff --git a/nixos/hosts/telchar/default.nix b/nixos/hosts/telchar/default.nix
index 970ea82..ab204de 100644
--- a/nixos/hosts/telchar/default.nix
+++ b/nixos/hosts/telchar/default.nix
@@ -47,11 +47,21 @@
   # System settings and services.
   mySystem = {
     purpose = "Development";
+
+    # System config
     system = {
       motd.networkInterfaces = [ "wlp1s0" ];
       fingerprint-reader-on-laptop-lid.enable = true;
       borg.pika-backup.enable = true;
     };
+
+    # Services config
+    services = {
+      vault = {
+        enable = true;
+      };
+    };
+
     security._1password.enable = true;
     framework_wifi_swap.enable = true;
   };
diff --git a/nixos/modules/nixos/services/default.nix b/nixos/modules/nixos/services/default.nix
index 2557439..0927e6d 100644
--- a/nixos/modules/nixos/services/default.nix
+++ b/nixos/modules/nixos/services/default.nix
@@ -15,5 +15,6 @@
     ./reboot-required-check.nix
     ./restic
     ./sanoid
+    ./vault
   ];
 }
diff --git a/nixos/modules/nixos/services/vault/default.nix b/nixos/modules/nixos/services/vault/default.nix
new file mode 100644
index 0000000..199e988
--- /dev/null
+++ b/nixos/modules/nixos/services/vault/default.nix
@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.mySystem.vault;
+in
+{
+  options.vault = {
+    enable = lib.mkEnableOption "vault";
+    address = lib.mkOption {
+      type = lib.types.str;
+      default = "127.0.0.1:8200";
+      description = "Address of the Vault server";
+      example = "127.0.0.1:8200";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.vault = {
+      enable = true;
+      package = pkgs.unstable.vault;
+      address = cfg.address;
+      dev = false;
+      storage = "raft";
+    };
+  };
+}