diff --git a/hosts/h001/mods/default.nix b/hosts/h001/mods/default.nix index f0a4454..c1a4db5 100644 --- a/hosts/h001/mods/default.nix +++ b/hosts/h001/mods/default.nix @@ -12,6 +12,7 @@ ./oauth2-proxy.nix ./n8n.nix ./postgresql.nix - ./openbao.nix + # ./openbao.nix + ./vault.nix ]; } diff --git a/hosts/h001/mods/vault.nix b/hosts/h001/mods/vault.nix new file mode 100644 index 0000000..1645503 --- /dev/null +++ b/hosts/h001/mods/vault.nix @@ -0,0 +1,51 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + services.nginx = { + virtualHosts = { + "sec.joshuabell.xyz" = { + addSSL = true; + sslCertificate = "/var/lib/acme/joshuabell.xyz/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/joshuabell.xyz/key.pem"; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://localhost:8200"; + recommendedProxySettings = true; + }; + }; + }; + }; + + services.vault = { + enable = true; + dev = true; # trying it out... remove + address = "127.0.0.1:8200"; + storagePath = "/var/lib/hashi_vault"; + + }; + + # Ensure the data directory exists with proper permissions + systemd.tmpfiles.rules = [ + "d /var/lib/hashi_vault 0700 vault vault - -" + ]; + + # Additional systemd service hardening + # systemd.services.openbao = { + # serviceConfig = { + # # Security hardening + # NoNewPrivileges = true; + # PrivateTmp = true; + # ProtectSystem = "strict"; + # ProtectHome = true; + # ReadWritePaths = [ "/var/lib/openbao" ]; + # + # # Resource limits + # LimitNOFILE = 65536; + # LimitNPROC = 4096; + # }; + # }; +} diff --git a/hosts/lio/flake.lock b/hosts/lio/flake.lock index 09b7b16..066e86b 100644 --- a/hosts/lio/flake.lock +++ b/hosts/lio/flake.lock @@ -27,20 +27,14 @@ }, "common": { "locked": { - "dir": "flakes/common", - "lastModified": 1762966688, - "narHash": "sha256-a+mbYeRAlbcRBvgabeGKUTDKaEV66S7sOrKkoJboMI8=", - "ref": "refs/heads/master", - "rev": "f3189e056f0e2f66abb9b1c245084278081e782a", - "revCount": 776, - "type": "git", - "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" + "path": "../../flakes/common", + "type": "path" }, "original": { - "dir": "flakes/common", - "type": "git", - "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" - } + "path": "../../flakes/common", + "type": "path" + }, + "parent": [] }, "crane": { "locked": { @@ -227,11 +221,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1761619080, - "narHash": "sha256-PsLFmU/CORWeCjJi9ALsegwr/SMjf2gHsooTR09az4c=", + "lastModified": 1763010827, + "narHash": "sha256-RFEZh8UF4S0GMbWpDin6EzuhuykaAhXKF8qsRU7ArUE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fd644bba1d3a83169e4b312ce20928ba1b0abb02", + "rev": "d3ca3185bb27958941927598b76caf591187f9bf", "type": "github" }, "original": { @@ -275,11 +269,11 @@ "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim": { "flake": false, "locked": { - "lastModified": 1761323006, - "narHash": "sha256-6BjkqZCo2DLVxW6BHyElt2cZdG6Dhzao8hPfWYm0sIQ=", + "lastModified": 1762727340, + "narHash": "sha256-sT4UnxLvfuHZxkrMjFaUNVyun7sxwax83O/QB3f7fQE=", "owner": "CopilotC-Nvim", "repo": "CopilotChat.nvim", - "rev": "a7138a0ee04d8af42c262554eccee168bbf1454f", + "rev": "ce485330c76a5b63ccfb02b7dd18890a748ca558", "type": "github" }, "original": { @@ -307,11 +301,11 @@ "nvim_plugin-L3MON4D3/LuaSnip": { "flake": false, "locked": { - "lastModified": 1761039842, - "narHash": "sha256-ovvtTZgqL6MFvuI3byx+boWm6ErZX06+v6a3VoctREc=", + "lastModified": 1762213057, + "narHash": "sha256-Pil9m8zN3XzMtPT8spdr78dzkMW7dcpVnbWzie6524A=", "owner": "L3MON4D3", "repo": "LuaSnip", - "rev": "ccf25a5452b8697a823de3e5ecda63ed3d723b79", + "rev": "3732756842a2f7e0e76a7b0487e9692072857277", "type": "github" }, "original": { @@ -323,11 +317,11 @@ "nvim_plugin-MeanderingProgrammer/render-markdown.nvim": { "flake": false, "locked": { - "lastModified": 1761343950, - "narHash": "sha256-HycEAgAsU8IxFiYfyp5ZGN+z6wYyCarIESxA9TDuJ3s=", + "lastModified": 1762952625, + "narHash": "sha256-K967UmJYqy3Xe0UeskIksczs+g00yA9YJAof1G5pQH8=", "owner": "MeanderingProgrammer", "repo": "render-markdown.nvim", - "rev": "bfd67f1402b97ac619cb538f4bbaed12a7fa89aa", + "rev": "f58c05f349d6e7650f4b40b0df1514400f0c10de", "type": "github" }, "original": { @@ -403,11 +397,11 @@ "nvim_plugin-b0o/schemastore.nvim": { "flake": false, "locked": { - "lastModified": 1761343239, - "narHash": "sha256-obGnux+K0blHROEOAy7Ct18vxiO4Qez8XJB5l23KgMs=", + "lastModified": 1762970439, + "narHash": "sha256-17PacghZB5pxXgui7KrIkc43yqh9aQe2thyt3OpgzXw=", "owner": "b0o", "repo": "schemastore.nvim", - "rev": "4341619da06779ae310ee9c3d6d70edfefed7152", + "rev": "229e7ecd3ed9b882cc172f7e8a8d6eb8ba4124ff", "type": "github" }, "original": { @@ -419,11 +413,11 @@ "nvim_plugin-catppuccin/nvim": { "flake": false, "locked": { - "lastModified": 1761396780, - "narHash": "sha256-Nz/XbItShbrnKtj0+gcEDBFO5y00g0EG5CHqdJGK2j0=", + "lastModified": 1762006357, + "narHash": "sha256-WNOuJ+XdO0x3Vlc8mALwtFU6iwJXilOM/NF0F1161FQ=", "owner": "catppuccin", "repo": "nvim", - "rev": "8c4125e3c746976ba025dc5d908fa22c6aa09486", + "rev": "234fc048de931a0e42ebcad675bf6559d75e23df", "type": "github" }, "original": { @@ -467,11 +461,11 @@ "nvim_plugin-folke/lazy.nvim": { "flake": false, "locked": { - "lastModified": 1761488113, - "narHash": "sha256-jBmtFzzdGYe3N3kvWHvR7FGXtA+/t36efxsAqhLmaxU=", + "lastModified": 1762421181, + "narHash": "sha256-h5404njTAfqMJFQ3MAr2PWSbV81eS4aIs0cxAXkT0EM=", "owner": "folke", "repo": "lazy.nvim", - "rev": "ed4dc336a73c18da6fea6e1cf7ad6e1b76d281eb", + "rev": "85c7ff3711b730b4030d03144f6db6375044ae82", "type": "github" }, "original": { @@ -499,11 +493,11 @@ "nvim_plugin-folke/which-key.nvim": { "flake": false, "locked": { - "lastModified": 1759952076, - "narHash": "sha256-N31+V5L0gd+TUo9nVtNGRmMVmM9fMxOwldCfuLYT4hU=", + "lastModified": 1761664528, + "narHash": "sha256-rKaYnXM4gRkkF/+xIFm2oCZwtAU6CeTdRWU93N+Jmbc=", "owner": "folke", "repo": "which-key.nvim", - "rev": "b4177e3eaf15fe5eb8357ebac2286d488be1ed00", + "rev": "3aab2147e74890957785941f0c1ad87d0a44c15a", "type": "github" }, "original": { @@ -563,11 +557,11 @@ "nvim_plugin-hrsh7th/nvim-cmp": { "flake": false, "locked": { - "lastModified": 1760792454, - "narHash": "sha256-wkESSNUViVI5DE+3t4AVTaSLQ/hTB43vrm+PH6uA8H4=", + "lastModified": 1762254225, + "narHash": "sha256-Pnfa1u+hoVIKo7Jvv3VF/p6m0ALXywwUNEb2FI7TeEc=", "owner": "hrsh7th", "repo": "nvim-cmp", - "rev": "a7bcf1d88069fc67c9ace8a62ba480b8fe879025", + "rev": "106c4bcc053a5da783bf4a9d907b6f22485c2ea0", "type": "github" }, "original": { @@ -691,11 +685,11 @@ "nvim_plugin-mfussenegger/nvim-lint": { "flake": false, "locked": { - "lastModified": 1759852544, - "narHash": "sha256-wVEX0lCxeipvwCfdd2JbQwnhgg6UrTXixC8E1OiEblI=", + "lastModified": 1762442588, + "narHash": "sha256-TRiTTCfOoFXQvEw6Dyjx70Y2svpP7ln0LbYLOHw2Lzw=", "owner": "mfussenegger", "repo": "nvim-lint", - "rev": "9da1fb942dd0668d5182f9c8dee801b9c190e2bb", + "rev": "8b349e822a36e9480aed96c6dd2f757f80524a35", "type": "github" }, "original": { @@ -707,11 +701,11 @@ "nvim_plugin-mrcjkb/rustaceanvim": { "flake": false, "locked": { - "lastModified": 1761585884, - "narHash": "sha256-m/gd+cb7X2a7R6JSbHes0QjGs+zuj4698Qyi/OW0R1g=", + "lastModified": 1762620523, + "narHash": "sha256-w1BXvvIK2db4mhI+dIOut7XFAVyAzzvuLu6ThkHYfw4=", "owner": "mrcjkb", "repo": "rustaceanvim", - "rev": "be0d1d14b8504c1c0965b608dc7ed39f2d588c91", + "rev": "ccd8f99b159f53113e503fa99a613875407db49f", "type": "github" }, "original": { @@ -723,11 +717,11 @@ "nvim_plugin-neovim/nvim-lspconfig": { "flake": false, "locked": { - "lastModified": 1761605346, - "narHash": "sha256-3Aulaw6KMmrcoQQxhRhQhjZ2fg6MSU4Q7qAWtrVsOcA=", + "lastModified": 1762966402, + "narHash": "sha256-2wflkFO9GYm5kFais+zKewraBItknXeNSmUKe8muj+U=", "owner": "neovim", "repo": "nvim-lspconfig", - "rev": "2b52bc2190c8efde2e4de02d829a138666774c7c", + "rev": "b34fbdffdcb6295c7a25df6ba375452a2e73c32e", "type": "github" }, "original": { @@ -803,11 +797,11 @@ "nvim_plugin-nvim-telescope/telescope-fzf-native.nvim": { "flake": false, "locked": { - "lastModified": 1741765009, - "narHash": "sha256-Zyv8ikxdwoUiDD0zsqLzfhBVOm/nKyJdZpndxXEB6ow=", + "lastModified": 1762521376, + "narHash": "sha256-ChEM4jJonAE4qXd/dgTu2mdlpNBj5rEdpA8TgR38oRM=", "owner": "nvim-telescope", "repo": "telescope-fzf-native.nvim", - "rev": "1f08ed60cafc8f6168b72b80be2b2ea149813e55", + "rev": "6fea601bd2b694c6f2ae08a6c6fab14930c60e2c", "type": "github" }, "original": { @@ -835,11 +829,11 @@ "nvim_plugin-nvim-telescope/telescope.nvim": { "flake": false, "locked": { - "lastModified": 1747012888, - "narHash": "sha256-JpW0ehsX81yVbKNzrYOe1hdgVMs6oaaxMLH6lECnOJg=", + "lastModified": 1762931078, + "narHash": "sha256-7DHFXZxUtPUQkpy2zjC2lwhj7isBCyEwh9LbtqAjSFs=", "owner": "nvim-telescope", "repo": "telescope.nvim", - "rev": "b4da76be54691e854d3e0e02c36b0245f945c2c7", + "rev": "3a12a853ebf21ec1cce9a92290e3013f8ae75f02", "type": "github" }, "original": { @@ -851,11 +845,11 @@ "nvim_plugin-nvim-tree/nvim-tree.lua": { "flake": false, "locked": { - "lastModified": 1760921408, - "narHash": "sha256-QCUp/6qX/FS8LrZ6K+pvC/mHkYW8xfzQZEB2y0VOStQ=", + "lastModified": 1762812542, + "narHash": "sha256-tCIi3C025gooix20RBCGKBtnuGFrZezQGbwv+tz37Wc=", "owner": "nvim-tree", "repo": "nvim-tree.lua", - "rev": "64e2192f5250796aa4a7f33c6ad888515af50640", + "rev": "1eda2569394f866360e61f590f1796877388cb8a", "type": "github" }, "original": { @@ -883,11 +877,11 @@ "nvim_plugin-nvim-treesitter/nvim-treesitter-context": { "flake": false, "locked": { - "lastModified": 1761077440, - "narHash": "sha256-QdZstxKsEILwe7eUZCmMdyLPyvNKc/e7cfdYQowHWPQ=", + "lastModified": 1762769683, + "narHash": "sha256-ICwAUXKngSPsJ6VV+84KUPqtAwlGPrm4FIf9ioisiz8=", "owner": "nvim-treesitter", "repo": "nvim-treesitter-context", - "rev": "ec308c7827b5f8cb2dd0ad303a059c945dd21969", + "rev": "660861b1849256398f70450afdf93908d28dc945", "type": "github" }, "original": { @@ -931,11 +925,11 @@ "nvim_plugin-rmagatti/auto-session": { "flake": false, "locked": { - "lastModified": 1761491368, - "narHash": "sha256-F2MtkBCVAObRwniSvFjv5MmYnCaj1YSUf0Nk5MF1F4Y=", + "lastModified": 1761853983, + "narHash": "sha256-9/SfXUAZIiPAS5ojvJCxDCxmuLoL/kIrAsNWAoLWFq4=", "owner": "rmagatti", "repo": "auto-session", - "rev": "f0eb3d69848389869572b82b336d7a6887e88e43", + "rev": "292492ab7af4bd8b9e37e28508bc8ce995722fd5", "type": "github" }, "original": { @@ -995,11 +989,11 @@ "nvim_plugin-stevearc/conform.nvim": { "flake": false, "locked": { - "lastModified": 1761160784, - "narHash": "sha256-yUUDxYuIjbFHUscEKpFV6IaraDNOA4hdcGljPHG/+sU=", + "lastModified": 1762317018, + "narHash": "sha256-dJf8g5I85De4JYYCL4k7u85fatjU2BmF9pO5WbxhCQQ=", "owner": "stevearc", "repo": "conform.nvim", - "rev": "9fd3d5e0b689ec1bf400c53cbbec72c6fdf24081", + "rev": "cde4da5c1083d3527776fee69536107d98dae6c9", "type": "github" }, "original": { @@ -1107,11 +1101,11 @@ "nvim_plugin-zbirenbaum/copilot.lua": { "flake": false, "locked": { - "lastModified": 1761595323, - "narHash": "sha256-KkiU2xmpfIbpuijvcXDw+LWKWuBgxjwY7jEQIasN5Kw=", + "lastModified": 1762533352, + "narHash": "sha256-/8baBZIhZdQ4B0hoTmh68I2p08rJJ7INil77qIu9vCU=", "owner": "zbirenbaum", "repo": "copilot.lua", - "rev": "93adf9844dcbe09a37e7a72eaa286d33d38bf628", + "rev": "5bde2cfe01f049f522eeb8b52c5c723407db8bdf", "type": "github" }, "original": { @@ -1213,11 +1207,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1761712156, - "narHash": "sha256-4vU7FPZFXSFguQUIPrbLQOk3VSokp6RH8t7zQoqneow=", + "lastModified": 1763012261, + "narHash": "sha256-xrxrvRT9+2dQRs5O5GjgFcCpSHijcweg/3nERf1A/3c=", "ref": "refs/heads/master", - "rev": "04f666dabbaced8d661693cfbe4eb7efa359ce7d", - "revCount": 320, + "rev": "66100486bb45e80f6007afd780ad0914e263ba8e", + "revCount": 321, "type": "git", "url": "https://git.joshuabell.xyz/ringofstorms/nvim" }, @@ -1234,11 +1228,11 @@ ] }, "locked": { - "lastModified": 1761619008, - "narHash": "sha256-vp97eNmi5GG/+jlvnBpmG6EVO2F1+nqMQFF9GT2TIQg=", + "lastModified": 1763001554, + "narHash": "sha256-wsfhRTuxu6f06RMmP4JWcq3wWRlmYtQaJZ6b3f+EJ94=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "7bc7d2f706ebe5479d230d2c6806b5dc757ae4cd", + "rev": "315d97eb753cee8e1aa039a5e622b84d32a454bb", "type": "github" }, "original": { diff --git a/hosts/lio/flake.nix b/hosts/lio/flake.nix index e67da22..cbdd81f 100644 --- a/hosts/lio/flake.nix +++ b/hosts/lio/flake.nix @@ -6,8 +6,8 @@ nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; # Use relative to get current version for testing - # common.url = "path:../../flakes/common"; - common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common"; + common.url = "path:../../flakes/common"; + # common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common"; # secrets.url = "path:../../flakes/secrets"; secrets.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets"; # flatpaks.url = "path:../../flakes/flatpaks"; @@ -146,6 +146,11 @@ }; }; + environment.systemPackages = with pkgs; [ + vlang + ttyd + ]; + services.flatpak.packages = [ "org.signal.Signal" "dev.vencord.Vesktop" diff --git a/secrets_epic.md b/secrets_epic.md index 630bfc7..f224d6c 100644 --- a/secrets_epic.md +++ b/secrets_epic.md @@ -543,3 +543,4 @@ At any point, can rollback by: - Automatic rotation - Centralized management - Audit logging +