added vault server module mvp

.envrc

@@ -1,2 +1,3 @@
 use nix
 export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
+export VAULT_ADDR="http://10.1.1.61:8200"

.gitignore

@@ -7,3 +7,5 @@ result*
 .github
 .profile
 .idea
+.secrets
+.op

flake.lock

@@ -264,15 +264,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1725897020,
+        "lastModified": 1726074731,
-        "narHash": "sha256-0mJ37QZpUz44d0uolv9XQKDHwxUwqslz5ZSgwbdxmlo=",
+        "narHash": "sha256-FsJQbSW9MGndQr7xz49SHjculvRaJGeqBSOgQjHguBc=",
-        "owner": "brumhard",
+        "owner": "ajgon",
         "repo": "krewfile",
-        "rev": "e7773854b19a4288df5502946ccec79c4af57adf",
+        "rev": "05183df6874c2ce479987872083017d7c1ddb546",
         "type": "github"
       },
       "original": {
-        "owner": "brumhard",
+        "owner": "ajgon",
+        "ref": "feat/indexes",
         "repo": "krewfile",
         "type": "github"
       }
@@ -437,11 +438,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1725407940,
+        "lastModified": 1725826545,
-        "narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=",
+        "narHash": "sha256-L64N1rpLlXdc94H+F6scnrbuEu+utC03cDDVvvJGOME=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3",
+        "rev": "f4c846aee8e1e29062aa8514d5e0ab270f4ec2f9",
         "type": "github"
       },
       "original": {
@@ -529,11 +530,11 @@
     },
     "nixpkgs-unstable_2": {
       "locked": {
-        "lastModified": 1725432240,
+        "lastModified": 1725634671,
-        "narHash": "sha256-+yj+xgsfZaErbfYM3T+QvEE2hU7UuE+Jf0fJCJ8uPS0=",
+        "narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ad416d066ca1222956472ab7d0555a6946746a80",
+        "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
         "type": "github"
       },
       "original": {

flake.nix

@@ -88,7 +88,8 @@
 
     # krewfile - Declarative krew plugin management
     krewfile = {
-      url = "github:brumhard/krewfile";
+      # url = "github:brumhard/krewfile";
+      url = "github:ajgon/krewfile?ref=feat/indexes";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 

nixos/home/jahanson/global.nix

@@ -3,7 +3,6 @@ with config;
 {
   imports = [
     ../modules
-    inputs.krewfile.homeManagerModules.krewfile
   ];
 
   config = {
@@ -21,15 +20,6 @@ with config;
       EDITOR = "vim";
     };
 
-    programs.krewfile = {
-      enable = true;
-      krewPackage = pkgs.krew;
-      plugins = [
-        "resource-capacity"
-        "rook-ceph"
-      ];
-    };
-
     home = {
 
       # Install these packages for my user
@@ -104,9 +94,6 @@ with config;
         # nix tools
         nvd
 
-        # charmbracelet tools
-        gum
-        vhs
       ];
     };
   };

nixos/home/jahanson/workstation.nix

@@ -3,8 +3,19 @@ with config;
 {
   imports = [
     ./global.nix
+    inputs.krewfile.homeManagerModules.krewfile
   ];
 
+  # Krewfile management
+  programs.krewfile = {
+    enable = true;
+    krewPackage = pkgs.krew;
+    plugins = [
+      "resource-capacity"
+      "rook-ceph"
+    ];
+  };
+
   myHome = {
     programs.firefox.enable = true;
     programs.thunderbird.enable = true;
@@ -25,7 +36,7 @@ with config;
     packages = with pkgs;
       [
         #apps
-        discord
+        unstable.vesktop
         inputs.ghostty.packages.${pkgs.system}.default
         obsidian
         parsec-bin
@@ -41,6 +52,7 @@ with config;
         unstable.talosctl
         unstable.telegram-desktop
         unstable.tidal-hifi
+        unstable.vault
         vlc
 
         # cli

nixos/home/modules/programs/de/gnome/default.nix

@@ -26,7 +26,7 @@ with lib.hm.gvariant; {
       "org/gnome/shell" = {
         disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ];
         enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ];
-        favorite-apps = [ "com.mitchellh.ghostty.desktop" "vivaldi-stable.desktop" "obsidian.desktop" "code.desktop" "discord.desktop" ];
+        favorite-apps = [ "com.mitchellh.ghostty.desktop" "vivaldi-stable.desktop" "obsidian.desktop" "code.desktop" "vesktop.desktop" ];
       };
       "org/gnome/nautilus/preferences" = {
         default-folder-viewer = "list-view";

nixos/hosts/telchar/default.nix

@@ -47,11 +47,21 @@
   # System settings and services.
   mySystem = {
     purpose = "Development";
+
+    # System config
     system = {
       motd.networkInterfaces = [ "wlp1s0" ];
       fingerprint-reader-on-laptop-lid.enable = true;
       borg.pika-backup.enable = true;
     };
+
+    # Services config
+    services = {
+      vault = {
+        enable = false;
+      };
+    };
+
     security._1password.enable = true;
     framework_wifi_swap.enable = true;
   };

nixos/modules/nixos/editor/vscode.nix

@@ -27,6 +27,7 @@ let
     "tyriar.sort-lines"
     "yzhang.markdown-all-in-one"
     "bmalehorn.vscode-fish"
+    "hashicorp.hcl"
     # "github.copilot-chat"
   ];
   # Nixpkgs Extensions. These are updated whenver they get around to it.

nixos/modules/nixos/services/default.nix

@@ -15,5 +15,6 @@
     ./reboot-required-check.nix
     ./restic
     ./sanoid
+    ./vault
   ];
 }

nixos/modules/nixos/services/vault/default.nix

@@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.mySystem.services.vault;
+in
+{
+  options.mySystem.services.vault = {
+    enable = lib.mkEnableOption "vault";
+    address = lib.mkOption {
+      type = lib.types.str;
+      default = "127.0.0.1:8200";
+      description = "Address of the Vault server";
+      example = "127.0.0.1:8200";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.vault = {
+      enable = true;
+      package = pkgs.unstable.vault;
+      address = cfg.address;
+      dev = false;
+      storageBackend = "raft";
+      extraConfig = ''
+        api_addr = "http://127.0.0.1:8200"
+        cluster_addr = "http://127.0.0.1:8201"
+        ui = true
+      '';
+    };
+  };
+}

nixos/modules/nixos/services/vault/resources/vault-config.hcl

@@ -0,0 +1,14 @@
+listener "tcp" {
+    address = "0.0.0.0:8200"
+    tls_disable = true
+}
+
+storage "raft" {
+    path = "/var/lib/vault/data"
+    node_id = "node1"
+}
+
+disable_mlock = true
+api_addr = "http://localhost:8200"
+cluster_addr = "http://localhost:8201"
+ui = true

nixos/modules/nixos/system/fingerprint-reader-on-laptop-lid/default.nix

@@ -24,10 +24,10 @@ let
         grep -Fxq connected /sys/class/drm/card*-HDMI-*/status)
     then
       touch "$lock"
-      echo 0 > /sys/bus/usb/devices/5-4.1/authorized
+      echo 0 > /dev/fingerprint_sensor/authorized
     elif [ -f "$lock" ]
     then
-      echo 1 > /sys/bus/usb/devices/5-4.1/authorized
+      echo 1 > /dev/fingerprint_sensor/authorized
       rm "$lock"
     fi
   '';
@@ -38,9 +38,19 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    services.acpid = {
+    services = {
-      enable = true;
+      acpid = {
-      lidEventCommands = "${laptop-lid}";
+        enable = true;
+        lidEventCommands = "${laptop-lid}";
+      };
+      # Add udev rule to create symlink for fingerprint sensor
+      # when usb device 27c6:609c is connected or disconnected.
+      # Reason: hubs like caldigit re-orient the device number on each boot.
+      # May requires a reboot to take effect.
+      # or sudo udevadm control --reload-rules && sudo udevadm trigger
+      udev.extraRules = ''
+        SUBSYSTEM=="usb", ATTRS{idVendor}=="27c6", ATTRS{idProduct}=="609c", RUN+="/bin/sh -c 'ln -sf /sys$devpath /dev/fingerprint_sensor'"
+      '';
     };
 
     # Disable fingerprint reader at login since you can't put in a password when fprintd is running.

nixos/profiles/role-dev.nix

@@ -21,9 +21,13 @@ with config;
     shfmt
     statix
 
-    # bind # for dns utils like named-checkconf
+    # flake imports
     inputs.nix-inspect.packages.${pkgs.system}.default
     inputs.talhelper.packages.${pkgs.system}.default
+
+    # charmbracelet tools
+    gum
+    vhs
   ];
 
   programs.direnv = {