cluster/services/frangiclave: retry_join

cluster/services/bitwarden/default.nix

@@ -1,5 +1,10 @@
 { depot, ... }:
 
 {
+  services.bitwarden = {
+    nodes.host = [ "VEGAS" ];
+    nixos.host = ./host.nix;
+  };
+
   dns.records.keychain.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
 }

cluster/services/frangiclave/default.nix

@@ -1,13 +1,21 @@
+{ config, ... }:
+
 {
   services.frangiclave = {
     nodes = {
-      server = [ "VEGAS" "grail" "prophet" ]; # 3 reliable nodes
+      server = [ "VEGAS" "grail" "prophet" ];
+      cluster = config.services.frangiclave.nodes.server;
       agent = []; # all nodes, for vault-agent, secret templates, etc.
     };
+    meshLinks = {
+      server.link.protocol = "http";
+      cluster.link.protocol = "http";
+    };
     nixos = {
       server = [
         ./server.nix
       ];
+      cluster = [];
       agent = [];
     };
   };

cluster/services/frangiclave/server.nix

@@ -1,8 +1,34 @@
-{ depot, ... }:
+{ cluster, config, depot, lib, ... }:
+
+let
+  apiLink = cluster.config.hostLinks.${config.networking.hostName}.frangiclave-server;
+  clusterLink = cluster.config.hostLinks.${config.networking.hostName}.frangiclave-cluster;
+in
 
 {
   services.vault = {
     enable = true;
     package = depot.packages.openbao;
+    address = apiLink.tuple;
+    extraConfig = /*hcl*/ ''
+      api_addr = "${apiLink.url}"
+      cluster_addr = "${clusterLink.url}"
+    '';
+
+    storageBackend = "raft";
+    storageConfig = /*hcl*/ ''
+      node_id = "x${builtins.hashString "sha256" "frangiclave-node-${config.networking.hostName}"}"
+      ${
+        lib.pipe (cluster.config.services.frangiclave.otherNodes.server config.networking.hostName) [
+          (map (node: cluster.config.hostLinks.${node}.frangiclave-server))
+          (map (link: /*hcl*/ ''
+            retry_join {
+              leader_api_addr = "${link.url}"
+            }
+          ''))
+          (lib.concatStringsSep "\n")
+        ]
+      }
+    '';
   };
 }

cluster/services/gitlab/default.nix

@@ -1,5 +1,10 @@
 { depot, ... }:
 
 {
+  services.gitlab = {
+    nodes.host = [ "VEGAS" ];
+    nixos.host = ./host.nix;
+  };
+
   dns.records.git.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
 }

cluster/services/gitlab/host.nix

@@ -9,7 +9,7 @@ let
     owner = "gitlab";
     group = "gitlab";
     mode = "0400";
-    file = ../../../../secrets/${name}.age;
+    file = ../../../secrets/${name}.age;
   };
 
   secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;

cluster/services/mail/certificate.nix

@@ -1,11 +1,6 @@
 { depot, lib, ... }:
-{
-  imports = [
-    ./imap.nix
-    ./opendkim.nix
-    ./postfix.nix
-  ];
 
+{
   security.acme.certs."mail.${depot.lib.meta.domain}" = {
     dnsProvider = "exec";
     webroot = lib.mkForce null;

cluster/services/mail/default.nix

@@ -1,6 +1,24 @@
 { depot, ... }:
 
 {
+  services.mail = {
+    nodes = {
+      smtp = [ "VEGAS" ];
+      imap = [ "VEGAS" ];
+    };
+    nixos = {
+      smtp = [
+        ./postfix.nix
+        ./opendkim.nix
+        ./certificate.nix
+      ];
+      imap = [
+        ./imap.nix
+        ./certificate.nix
+      ];
+    };
+  };
+
   dns.records = let
     inherit (depot.lib.meta) domain adminEmail;
     mailServerAddr = depot.hours.VEGAS.interfaces.primary.addrPublic;

cluster/services/mail/imap.nix

@@ -32,7 +32,7 @@ let
   '';
 in {
 
-  age.secrets.dovecotLdapToken.file = ../../../../secrets/dovecot-ldap-token.age;
+  age.secrets.dovecotLdapToken.file = ../../../secrets/dovecot-ldap-token.age;
 
   networking.firewall.allowedTCPPorts = [ 143 993 ];
 

cluster/services/mail/postfix.nix

@@ -14,7 +14,7 @@ let
 in
 {
   age.secrets."postfix-ldap-mailboxes.cf" = {
-    file = ../../../../secrets/postfix-ldap-mailboxes.age;
+    file = ../../../secrets/postfix-ldap-mailboxes.age;
     owner = "postfix";
     group = "postfix";
     mode = "0400";

cluster/services/sso/default.nix

@@ -1,6 +1,11 @@
 { depot, ... }:
 
 {
+  services.sso = {
+    nodes.host = [ "VEGAS" ];
+    nixos.host = ./host.nix;
+  };
+
   dns.records = let
     ssoAddr = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
   in {

cluster/services/wireguard/default.nix

@@ -66,9 +66,11 @@ in
   services.wireguard = {
     nodes = {
       mesh = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
+      storm = [ "VEGAS" ];
     };
     nixos = {
       mesh = ./mesh.nix;
+      storm = ./storm.nix;
     };
     secrets.meshPrivateKey = {
       nodes = config.services.wireguard.nodes.mesh;

cluster/services/wireguard/storm.nix

@@ -6,7 +6,7 @@ let
 in
 {
   age.secrets.wireguard-key-storm = {
-    file = ../../../../secrets + "/wireguard-key-storm-${hostName}.age";
+    file = ../../../secrets + "/wireguard-key-storm-${hostName}.age";
     mode = "0400";
   };
 

hosts/VEGAS/system.nix

@@ -16,15 +16,10 @@
 
       # Services
       ./services/backbone-routing
-      ./services/bitwarden
       ./services/cdn-shield
-      ./services/gitlab
       ./services/jokes
-      ./services/mail
       ./services/minecraft
-      ./services/sso
       ./services/websites
-      ./services/wireguard-server
       depot.nixosModules.hyprspace
       depot.nixosModules.nix-builder