add hashicorp vault

.envrc

@@ -1,2 +1,3 @@
 use nix
 export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
+export VAULT_ADDR="http://10.1.1.61:8200"

nixos/home/jahanson/workstation.nix

@@ -52,6 +52,7 @@ with config;
         unstable.talosctl
         unstable.telegram-desktop
         unstable.tidal-hifi
+        unstable.vault
         vlc
 
         # cli

nixos/hosts/telchar/default.nix

@@ -47,11 +47,21 @@
   # System settings and services.
   mySystem = {
     purpose = "Development";
+
+    # System config
     system = {
       motd.networkInterfaces = [ "wlp1s0" ];
       fingerprint-reader-on-laptop-lid.enable = true;
       borg.pika-backup.enable = true;
     };
+
+    # Services config
+    services = {
+      vault = {
+        enable = true;
+      };
+    };
+
     security._1password.enable = true;
     framework_wifi_swap.enable = true;
   };

nixos/modules/nixos/services/default.nix

@@ -15,5 +15,6 @@
     ./reboot-required-check.nix
     ./restic
     ./sanoid
+    ./vault
   ];
 }

nixos/modules/nixos/services/vault/default.nix

@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.mySystem.vault;
+in
+{
+  options.vault = {
+    enable = lib.mkEnableOption "vault";
+    address = lib.mkOption {
+      type = lib.types.str;
+      default = "127.0.0.1:8200";
+      description = "Address of the Vault server";
+      example = "127.0.0.1:8200";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.vault = {
+      enable = true;
+      package = pkgs.unstable.vault;
+      address = cfg.address;
+      dev = false;
+      storage = "raft";
+    };
+  };
+}