natto1784/dotfiles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

vault:migrate to consul backend

Browse Source
This commit is contained in:
Amneesh Singh
2022-01-30 11:10:37 +05:30
parent dd96dacbf7
commit 2223c5942e
1 changed files with 31 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
hosts/marisa/services.nix
View File

@@ -1,7 +1,25 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
{ {
# Add secrets to conul and nomad configs # Add secrets to nomad, consul and vault
systemd.tmpfiles.rules = lib.singleton "d /run/vault - vault vault 1h";
systemd.services.vault.preStart =
let
originalCfg = pkgs.writeText "vaultConfiguration.json" (builtins.toJSON rec {
storage."consul" = {
address = "10.55.0.2:8500";
path = "vault";
token = "+++vault_consul_token+++";
};
api_addr = "https://127.0.0.1:8800";
ui = true;
});
in
lib.mkForce ''
mkdir -p /run/vault
sed -e 's,+++vault_consul_token+++,'"$(cat /var/secrets/vault_consul.key)"',' \
${originalCfg} > /run/vault/vault.json
'';
systemd.services.consul.preStart = systemd.services.consul.preStart =
let let
originalCfg = pkgs.writeText "consulConfiguration.json" (builtins.toJSON rec { originalCfg = pkgs.writeText "consulConfiguration.json" (builtins.toJSON rec {
@@ -20,8 +38,9 @@
acl = { acl = {
enabled = true; enabled = true;
default_policy = "deny"; default_policy = "deny";
enable_token_persistence = true;
tokens = { tokens = {
agent = "+++consul_marisa+++"; agent = "+++consul_token+++";
}; };
}; };
server = true; server = true;
@@ -40,11 +59,11 @@
lib.mkForce '' lib.mkForce ''
mkdir -p /run/consul mkdir -p /run/consul
sed -e 's,+++consul_encryption+++,'"$(cat /var/secrets/consul_encryption.key)"',' \ sed -e 's,+++consul_encryption+++,'"$(cat /var/secrets/consul_encryption.key)"',' \
-e 's,+++consul_marisa+++,'"$(cat /var/secrets/consul_marisa.token)"',' \ -e 's,+++consul_token+++,'"$(cat /var/secrets/consul_bootstrap.token)"',' \
${originalCfg} > /run/consul/consul.json ${originalCfg} > /run/consul/consul.json
''; '';
systemd.services.nomad.after = [ "consul.service" ]; systemd.services.nomad.after = [ "vault.service" ];
systemd.services.nomad.preStart = systemd.services.nomad.preStart =
let let
originalCfg = pkgs.writeText "nomadConfiguration.json" originalCfg = pkgs.writeText "nomadConfiguration.json"
@@ -65,6 +84,11 @@
pull_activity_timeout = "30m"; pull_activity_timeout = "30m";
}; };
}; };
plugin."raw_exec" = {
config = {
enabled = true;
};
};
client = { client = {
options = { options = {
"docker.privileged.enabled" = true; "docker.privileged.enabled" = true;
@@ -126,12 +150,9 @@
tlsCertFile = "/var/rootcert/cert.pem"; tlsCertFile = "/var/rootcert/cert.pem";
tlsKeyFile = "/var/rootcert/key.pem"; tlsKeyFile = "/var/rootcert/key.pem";
address = "0.0.0.0:8800"; address = "0.0.0.0:8800";
storageBackend = "file"; # storageBackend = "file";
storagePath = "/var/lib/vault"; # storagePath = "/var/lib/vault";
extraConfig = '' extraSettingsPaths = lib.singleton "/run/vault/vault.json";
api_addr = "https://127.0.0.1:8800"
ui = true
'';
}; };
consul = { consul = {
@@ -157,36 +178,12 @@
]; ];
}; };
template = [ template = [
{
source = pkgs.writeText "gitea.tpl" ''
{{ with secret "kv/systems/Marisa/gitea" }}{{ .Data.data.gitea }}{{ end }}
'';
destination = "/var/secrets/gitea.key";
}
{ {
source = pkgs.writeText "wg.tpl" '' source = pkgs.writeText "wg.tpl" ''
{{ with secret "kv/systems/Marisa/wg" }}{{ .Data.data.private }}{{ end }} {{ with secret "kv/systems/Marisa/wg" }}{{ .Data.data.private }}{{ end }}
''; '';
destination = "/var/secrets/wg.key"; destination = "/var/secrets/wg.key";
} }
{
source = pkgs.writeText "consul_marisa.tpl" ''
{{ with secret "kv/systems/Marisa/consul" }}{{ .Data.data.agentToken }}{{ end }}
'';
destination = "/var/secrets/consul_marisa.token";
}
{
source = pkgs.writeText "consul_bootstrap.tpl" ''
{{ with secret "kv/consul" }}{{ .Data.data.bootstrapToken }}{{ end }}
'';
destination = "/var/secrets/consul_bootstrap.token";
}
{
source = pkgs.writeText "consul_encryption.tpl" ''
{{ with secret "kv/consul" }}{{ .Data.data.encryptionKey }}{{ end }}
'';
destination = "/var/secrets/consul_encryption.key";
}
{ {
source = pkgs.writeText "nomad_vault.tpl" '' source = pkgs.writeText "nomad_vault.tpl" ''
{{ with secret "kv/nomad" }}{{ .Data.data.vaultToken }}{{ end }} {{ with secret "kv/nomad" }}{{ .Data.data.vaultToken }}{{ end }}
@@ -208,54 +205,6 @@
]; ];
}; };
}; };
postgresql = {
enable = true;
port = 6060;
enableTCPIP = true;
authentication = ''
local gitea all ident map=gitea-map
host vault all 10.55.0.2/32 md5
host all all 192.168.0.110/32 md5
'';
identMap = ''
gitea-map gitea gitea
'';
};
gitea = {
enable = false;
appName = "Natto Tea";
rootUrl = "https://git.weirdnatto.in/";
cookieSecure = true;
dump = {
enable = true;
backupDir = "/tmp/gitea";
type = "tar.gz";
file = "gitnigger";
};
httpPort = 5001;
database = rec {
createDatabase = false;
port = 6060;
name = "gitea";
user = name;
passwordFile = "/var/secrets/gitea.key";
type = "postgres";
};
settings = {
oauth2_client = {
UPDATE_AVATAR = true;
};
ui = {
DEFAULT_THEME = "arc-green";
};
security = {
LOGIN_REMEMBER_DAYS = 50;
};
server = {
SSH_PORT = lib.mkForce 22001;
};
};
};
}; };
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHingN2Aho+KGgEvBMjtoez+W1svl9uVoa4vG0d646j" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHingN2Aho+KGgEvBMjtoez+W1svl9uVoa4vG0d646j"