random stuff

hosts/h001/mods/default.nix

@@ -12,6 +12,7 @@
     ./oauth2-proxy.nix
     ./n8n.nix
     ./postgresql.nix
-    ./openbao.nix
+    # ./openbao.nix
+    ./vault.nix
   ];
 }

hosts/h001/mods/vault.nix

@@ -0,0 +1,51 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  services.nginx = {
+    virtualHosts = {
+      "sec.joshuabell.xyz" = {
+        addSSL = true;
+        sslCertificate = "/var/lib/acme/joshuabell.xyz/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/joshuabell.xyz/key.pem";
+        locations."/" = {
+          proxyWebsockets = true;
+          proxyPass = "http://localhost:8200";
+          recommendedProxySettings = true;
+        };
+      };
+    };
+  };
+
+  services.vault = {
+    enable = true;
+    dev = true; # trying it out... remove
+    address = "127.0.0.1:8200";
+    storagePath = "/var/lib/hashi_vault";
+
+     };
+
+  # Ensure the data directory exists with proper permissions
+  systemd.tmpfiles.rules = [
+    "d /var/lib/hashi_vault 0700 vault vault - -"
+  ];
+
+  # Additional systemd service hardening
+  # systemd.services.openbao = {
+  #   serviceConfig = {
+  #     # Security hardening
+  #     NoNewPrivileges = true;
+  #     PrivateTmp = true;
+  #     ProtectSystem = "strict";
+  #     ProtectHome = true;
+  #     ReadWritePaths = [ "/var/lib/openbao" ];
+  #
+  #     # Resource limits
+  #     LimitNOFILE = 65536;
+  #     LimitNPROC = 4096;
+  #   };
+  # };
+}