From dd96dacbf784129015967cba227e92c7fe9f4d7f Mon Sep 17 00:00:00 2001 From: natto1784 Date: Fri, 28 Jan 2022 02:11:38 +0530 Subject: [PATCH] Marisa: try consul and nomad --- consul-agent-ca.pem | 18 +++ flake.lock | 126 ++++++++++---------- hosts/marisa/boot.nix | 2 +- hosts/marisa/networking.nix | 2 +- hosts/marisa/services.nix | 226 +++++++++++++++++++++++++----------- modules/min-pkgs.nix | 2 + 6 files changed, 246 insertions(+), 130 deletions(-) create mode 100644 consul-agent-ca.pem diff --git a/consul-agent-ca.pem b/consul-agent-ca.pem new file mode 100644 index 0000000..7cf1827 --- /dev/null +++ b/consul-agent-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCApSgAwIBAgIRALFjjI2cjNlictQWYya1oKkwCgYIKoZIzj0EAwIwgbkx +CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj +bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw +FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB +IDIzNTc5MDI0MzM5OTg5MDQyMDkwMDc4NzE2NTg4MzY1NjQxMzM1MzAeFw0yMjAx +MjIwNTM3MTNaFw0yNzAxMjEwNTM3MTNaMIG5MQswCQYDVQQGEwJVUzELMAkGA1UE +CBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAkTETEwMSBTZWNv +bmQgU3RyZWV0MQ4wDAYDVQQREwU5NDEwNTEXMBUGA1UEChMOSGFzaGlDb3JwIElu +Yy4xQDA+BgNVBAMTN0NvbnN1bCBBZ2VudCBDQSAyMzU3OTAyNDMzOTk4OTA0MjA5 +MDA3ODcxNjU4ODM2NTY0MTMzNTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7 +/XOebThO8wdSVCE42mrvl5emMofZkzlRJ81BJacp9ZsenkW66U2QWhCJ/o8iXFcI +O7hCQVOqSKHV800q1j95o3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUw +AwEB/zApBgNVHQ4EIgQgp5evx9TUR9LT7R8sm+OhNWTLPqwwADMIeY8Th59ICX0w +KwYDVR0jBCQwIoAgp5evx9TUR9LT7R8sm+OhNWTLPqwwADMIeY8Th59ICX0wCgYI +KoZIzj0EAwIDRwAwRAIgF7XqHjWG7MlzHfPkkonfn/WyzD2HNg3y/hvnjlPY6q4C +ICQS82jw2Rw9qhd3lsOL5xiJV0aC+NzOPAZ1MbFf+h9z +-----END CERTIFICATE----- diff --git a/flake.lock b/flake.lock index 2b41f45..f1d0e24 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1640802000, - "narHash": "sha256-ZiI94Zv/IgW64fqKrtVaQqfUCkn9STvAjgfFmvtqcQ8=", + "lastModified": 1641576265, + "narHash": "sha256-G4W39k5hdu2kS13pi/RhyTOySAo7rmrs7yMUZRH0OZI=", "owner": "ryantm", "repo": "agenix", - "rev": "c5558c88b2941bf94886dfdede6926b1ba5f5629", + "rev": "08b9c96878b2f9974fc8bde048273265ad632357", "type": "github" }, "original": { @@ -36,11 +36,11 @@ }, "emacs": { "locked": { - "lastModified": 1641149178, - "narHash": "sha256-Mt+oT5YZ6G9zHctDKV5pY+3vIdsMmAg0HMvz6rxsIc0=", + "lastModified": 1642907001, + "narHash": "sha256-Basy/QPtDPt5AiEz0QZnAn0aZgPyFCHPJZPAy1TRD/I=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "f3c435a5e5cfa3ce1b2f50ba37b9cacfec4139d9", + "rev": "bed8ed5a6d51db297253c45b2c866fc33854db9f", "type": "github" }, "original": { @@ -52,11 +52,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1627913399, - "narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=", + "lastModified": 1641205782, + "narHash": "sha256-4jY7RCWUoZ9cKD8co0/4tFARpWB+57+r1bLLvXNJliY=", "owner": "edolstra", "repo": "flake-compat", - "rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2", + "rev": "b7547d3eed6f32d06102ead8991ec52ab0a4f1a7", "type": "github" }, "original": { @@ -67,11 +67,11 @@ }, "flake-utils": { "locked": { - "lastModified": 1634851050, - "narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=", + "lastModified": 1638122382, + "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", "owner": "numtide", "repo": "flake-utils", - "rev": "c91f3de5adaf1de973b797ef7485e441a65b8935", + "rev": "74f7e4319258e287b0f9cb95426c9853b282730b", "type": "github" }, "original": { @@ -115,11 +115,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1641121012, - "narHash": "sha256-svaOMxNMQgFHjcxdmLojOxTxfqSENtnO+S3kb+npIwY=", + "lastModified": 1642882610, + "narHash": "sha256-pmdgeJ9v6y+T0UfNQ/Z+Hdv5tPshFFra5JLF/byUA/Y=", "owner": "nix-community", "repo": "home-manager", - "rev": "8e7a10602d1eb1d242c9d3f9b822203d5751a8c6", + "rev": "c47c350f6518ed39c2a16e4fadf9137b6c559ddc", "type": "github" }, "original": { @@ -133,11 +133,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1639871969, - "narHash": "sha256-6feWUnMygRzA9tzkrfAzpA5/NBYg75bkFxnqb1DtD7E=", + "lastModified": 1642653493, + "narHash": "sha256-22mGPjiHUo2Jmze4IjXCJLjeK2mbvvCztHmUyUMr4yw=", "owner": "nix-community", "repo": "home-manager", - "rev": "697cc8c68ed6a606296efbbe9614c32537078756", + "rev": "28b9ae40c45c5e7711c353fee1b7af734e293979", "type": "github" }, "original": { @@ -171,11 +171,11 @@ }, "master": { "locked": { - "lastModified": 1641155364, - "narHash": "sha256-7OXbMNAVeO5Yn916tADri1UIzl5bU27PjIDSLZB4G9A=", + "lastModified": 1642909347, + "narHash": "sha256-S6yg5kwTsyhEmq44cKGtA8jy9Z21Hq6m2IIz6XoqJNE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "03985162cf0d012b5ebdad5271c26e0cfacd1aa2", + "rev": "22eff4f912947a7db3c07e5b319e211c33e39957", "type": "github" }, "original": { @@ -212,11 +212,11 @@ }, "locked": { "dir": "contrib", - "lastModified": 1641106516, - "narHash": "sha256-zx9GDn7rXvqvrQaRiop7Xx8qqSt3FPppVcShmneSqHs=", + "lastModified": 1642784680, + "narHash": "sha256-nU4vyFC0BYzv47McYsNJYDu/8ttPgPHTmowueukxpoA=", "owner": "neovim", "repo": "neovim", - "rev": "e42c9065972f93e4666fbd8e06fc56333e9e5d24", + "rev": "e07a4b97f6552674f6038d15c0767bbfea082bf2", "type": "github" }, "original": { @@ -232,11 +232,11 @@ "utils": "utils_3" }, "locked": { - "lastModified": 1640904492, - "narHash": "sha256-KrFdQl9sRxfkA18OnfY10+wvcRsExEjl0HHUQH2Di8E=", + "lastModified": 1642719993, + "narHash": "sha256-osCgh6MHvhwS30591CEwQ15KKtRWb73xY3Y0x3ZqpxE=", "owner": "fufexan", "repo": "nix-gaming", - "rev": "57f79e1181805df1ec1c6336dca40aee9671cee0", + "rev": "e935a8490bd218fe48ed89737c91d33fdf82ec29", "type": "github" }, "original": { @@ -306,11 +306,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1641104204, - "narHash": "sha256-mCjEJNKaeS/BhQQFNSxHfA0/XtujbTAAJpustt1hIxI=", + "lastModified": 1642819963, + "narHash": "sha256-pfd+ZKHj88jHtnRbLP/+uj3qNUjrkrQGRp9w3YKDzeQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "28d58b979250ef33f049fe1c74daa50b7515126b", + "rev": "6631973f4502938ccfc75fe8b9d0a3259080d82d", "type": "github" }, "original": { @@ -320,11 +320,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1641104204, - "narHash": "sha256-mCjEJNKaeS/BhQQFNSxHfA0/XtujbTAAJpustt1hIxI=", + "lastModified": 1642819963, + "narHash": "sha256-pfd+ZKHj88jHtnRbLP/+uj3qNUjrkrQGRp9w3YKDzeQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "28d58b979250ef33f049fe1c74daa50b7515126b", + "rev": "6631973f4502938ccfc75fe8b9d0a3259080d82d", "type": "github" }, "original": { @@ -365,11 +365,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1637579689, - "narHash": "sha256-w9jJ0l9TgSeoMRQZOk+9EqWcNSsOvqcvS3mj067M7II=", + "lastModified": 1642265851, + "narHash": "sha256-6J2paKHuQKhaBJNVf7k1NI9pqiMiAlkgt0x7obFtQ70=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "108f913823dc1977b57e34bf86818c08fad8536d", + "rev": "60dec7aa319dc620cd77ecae8ce48f5374450452", "type": "github" }, "original": { @@ -380,11 +380,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1641104204, - "narHash": "sha256-mCjEJNKaeS/BhQQFNSxHfA0/XtujbTAAJpustt1hIxI=", + "lastModified": 1642819963, + "narHash": "sha256-pfd+ZKHj88jHtnRbLP/+uj3qNUjrkrQGRp9w3YKDzeQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "28d58b979250ef33f049fe1c74daa50b7515126b", + "rev": "6631973f4502938ccfc75fe8b9d0a3259080d82d", "type": "github" }, "original": { @@ -396,11 +396,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1640959792, - "narHash": "sha256-zYSR//06FU2TDOpKKj0Hkff6unsxk3NwwNFuB1loU6E=", + "lastModified": 1642814535, + "narHash": "sha256-FKX6vDo4MeE/QpWvCrPFQBkwzj2zYxUR5QR/9RTSFEo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "59bfda72480496f32787cec8c557182738b1bd3f", + "rev": "fc4148a47fa927319186061aa42633c8aa5777f1", "type": "github" }, "original": { @@ -412,11 +412,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1640871638, - "narHash": "sha256-ty6sGnJUQEkCd43At5U3DRQZD7rPARz5VginSW6hZ3k=", + "lastModified": 1642635915, + "narHash": "sha256-vabPA32j81xBO5m3+qXndWp5aqepe+vu96Wkd9UnngM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5b091d4fbe3b7b7493c3b46fe0842e4b30ea24b3", + "rev": "6d8215281b2f87a5af9ed7425a26ac575da0438f", "type": "github" }, "original": { @@ -428,11 +428,11 @@ }, "nur": { "locked": { - "lastModified": 1641155785, - "narHash": "sha256-QDnIQ7sfawBaQckDTIQqsSevftrJpxluQUhzX0goWg4=", + "lastModified": 1642906509, + "narHash": "sha256-W4H8jx1yTFyVWzSwsmfZs3Zx4LElhK/JL+vlBmSTt48=", "owner": "nix-community", "repo": "NUR", - "rev": "9dc87bdd533db31f14bd5fdc4f7fb6aab6a40056", + "rev": "5583de315930c2b73c8491607fb80ab0689a014f", "type": "github" }, "original": { @@ -448,11 +448,11 @@ "nixpkgs": "nixpkgs_9" }, "locked": { - "lastModified": 1641111239, - "narHash": "sha256-w1jUAuVmImMQGhaUY8dNVAxE4SNULI32RqyRX6DXzBo=", + "lastModified": 1642839161, + "narHash": "sha256-d2DVBjVh9cA6MWAXs+ayUncmY2VnXSLwIS2o9EnIZeQ=", "owner": "nix-community", "repo": "neovim-nightly-overlay", - "rev": "5906176ea9464d9a33c229b124fd713584bcfa57", + "rev": "ca9465259e268b343b9875b17fd3a97a1c72c242", "type": "github" }, "original": { @@ -485,11 +485,11 @@ "nixpkgs": "nixpkgs_10" }, "locked": { - "lastModified": 1641091280, - "narHash": "sha256-atemDjUQXazv/VQvEb7VC6JQ6oe2n7D2r/09qRsbthc=", + "lastModified": 1642838864, + "narHash": "sha256-pHnhm3HWwtvtOK7NdNHwERih3PgNlacrfeDwachIG8E=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "13b6bd69cd0ecf985fba18105a23464c5e76b24a", + "rev": "9fb49daf1bbe1d91e6c837706c481f9ebb3d8097", "type": "github" }, "original": { @@ -500,11 +500,11 @@ }, "stable": { "locked": { - "lastModified": 1641046839, - "narHash": "sha256-9XJgfDKU1hhC0E16FxDJe//Utrm79AQxesPhTltwjQ4=", + "lastModified": 1642798845, + "narHash": "sha256-1g1X3wKmroGix68OXwb4gR1yXKPQ36apI1dssd/YbuM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d1e59cfc49961e121583abe32e2f3db1550fbcff", + "rev": "e84444b14cc75a4be17b58fd2c344f47dddf084e", "type": "github" }, "original": { @@ -549,11 +549,11 @@ "flake-utils": "flake-utils" }, "locked": { - "lastModified": 1636270960, - "narHash": "sha256-5M3ytlFl9q6up8twhJ63JE2A5igrHR94YsHTOmKzHwA=", + "lastModified": 1639385028, + "narHash": "sha256-oqorKz3mwf7UuDJwlbCEYCB2LfcWLL0DkeCWhRIL820=", "owner": "gytis-ivaskevicius", "repo": "flake-utils-plus", - "rev": "e22fcd75da49c122ec7a0e30785e3edf2f69cfe7", + "rev": "be1be083af014720c14f3b574f57b6173b4915d0", "type": "github" }, "original": { @@ -564,11 +564,11 @@ }, "utils_4": { "locked": { - "lastModified": 1638122382, - "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", + "lastModified": 1642700792, + "narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=", "owner": "numtide", "repo": "flake-utils", - "rev": "74f7e4319258e287b0f9cb95426c9853b282730b", + "rev": "846b2ae0fc4cc943637d3d1def4454213e203cba", "type": "github" }, "original": { diff --git a/hosts/marisa/boot.nix b/hosts/marisa/boot.nix index 59c39f2..dc6d9ce 100755 --- a/hosts/marisa/boot.nix +++ b/hosts/marisa/boot.nix @@ -4,7 +4,7 @@ initrd.availableKernelModules = [ "xhci_pci" "usb_storage" "usbhid" "uas" "pcie-brcmstb"]; loader = { grub.enable = false; - generic-extlinux-compatible.enable= true; + # generic-extlinux-compatible.enable= true; raspberryPi= { version = 4; firmwareConfig = "dtparam=sd_poll_once=on"; diff --git a/hosts/marisa/networking.nix b/hosts/marisa/networking.nix index 5509ca7..6203d55 100755 --- a/hosts/marisa/networking.nix +++ b/hosts/marisa/networking.nix @@ -3,7 +3,7 @@ networking = { hostName = "Marisa"; firewall = { - allowedTCPPorts = [ 22 80 6060 5001 8800 8888 4444 4445 4646 ]; + allowedTCPPorts = [ 22 80 6060 5001 8800 8888 4444 4646 8500 8080 ]; allowedUDPPorts = [ 17840 ]; }; wireless = { diff --git a/hosts/marisa/services.nix b/hosts/marisa/services.nix index 7a33a82..2a48920 100755 --- a/hosts/marisa/services.nix +++ b/hosts/marisa/services.nix @@ -1,52 +1,124 @@ { lib, config, pkgs, ... }: { + + # Add secrets to conul and nomad configs + systemd.services.consul.preStart = + let + originalCfg = pkgs.writeText "consulConfiguration.json" (builtins.toJSON rec { + data_dir = "/var/lib/consul"; + ui_config = { + enabled = true; + }; + bootstrap = true; + log_level = "DEBUG"; + enable_syslog = true; + datacenter = "dc1"; + bind_addr = "10.55.0.2"; + client_addr = bind_addr; + primary_datacenter = "dc1"; + node_name = "Marisa"; + acl = { + enabled = true; + default_policy = "deny"; + tokens = { + agent = "+++consul_marisa+++"; + }; + }; + server = true; + connect = { + enabled = true; + }; + ports = { + grpc = 8502; + }; + encrypt = "+++consul_encryption+++"; + ca_file = "/var/consul-certs/consul-agent-ca.pem"; + cert_file = "/var/consul-certs/dc1-server-consul-0.pem"; + key_file = "/var/consul-certs/dc1-server-consul-0-key.pem"; + }); + in + lib.mkForce '' + mkdir -p /run/consul + sed -e 's,+++consul_encryption+++,'"$(cat /var/secrets/consul_encryption.key)"',' \ + -e 's,+++consul_marisa+++,'"$(cat /var/secrets/consul_marisa.token)"',' \ + ${originalCfg} > /run/consul/consul.json + ''; + systemd.services.nomad.after = [ "consul.service" ]; + systemd.services.nomad.preStart = + let + originalCfg = pkgs.writeText "nomadConfiguration.json" + (builtins.toJSON rec { + bind_addr = "0.0.0.0"; + data_dir = "/var/lib/nomad"; + disable_update_check = true; + datacenter = "n1"; + log_file = "/var/log/nomad/nomad.log"; + server = { + enabled = true; + encrypt = "+++nomad_encryption+++"; + }; + plugin."docker" = { + config = { + allow_privileged = true; + volumes.enabled = true; + pull_activity_timeout = "30m"; + }; + }; + client = { + options = { + "docker.privileged.enabled" = true; + "docker.volumes.enabled" = true; + }; + enabled = true; + cni_path = "${pkgs.cni-plugins}/bin"; + }; + vault = { + enabled = true; + token = "+++nomad_vault+++"; + address = "https://10.55.0.2:8800"; + ca_file = "/var/rootcert/cert.pem"; + cert_file = "/var/certs/cert.pem"; + key_file = "/var/certs/key.pem"; + allow_unauthenticated = false; + create_from_role = "nomad-cluster"; + }; + consul = { + address = "10.55.0.2:8500"; + token = "+++nomad_consul+++"; + ssl = false; + allow_unauthenticated = false; + ca_file = "/var/consul-certs/consul-agent-ca.pem"; + cert_file = "/var/consul-certs/dc1-server-consul-0.pem"; + key_file = "/var/consul-certs/dc1-server-consul-0-key.pem"; + auto_advertise = true; + server_auto_join = true; + client_auto_join = true; + }; + acl = { + enabled = true; + }; + }); + in + '' + mkdir -p /run/nomad + sed -e 's,+++nomad_encryption+++,'"$(cat /var/secrets/nomad_encryption.key)"',' \ + -e 's,+++nomad_consul+++,'"$(cat /var/secrets/nomad_consul.token)"',' \ + -e 's,+++nomad_vault+++,'"$(cat /var/secrets/nomad_vault.token)"',' \ + ${originalCfg} > /run/nomad/nomad.json + ''; services = { openssh = { enable = true; permitRootLogin = "yes"; }; nomad = { - enable = false; + package = pkgs.master.nomad; + enable = true; enableDocker = true; - settings = { - bind_addr = "0.0.0.0"; - data_dir = "/var/lib/nomad"; - datacenter = "n1"; - log_file = "/var/log/nomad/nomad.log"; - server = { - enabled = true; - bootstrap_expect = 1; - encrypt = "nY1vuN+1ecJkwJu0s2x6Ge6UX/txvTxVqNrDMqruMlg="; - }; - client = { - enabled = true; - }; - vault = { - enabled = true; - token = "s.WaNfk6ZISRbwsEx43UokG3HU"; - address = "https://10.55.0.2:8800"; - ca_file = "/var/rootcert/cert.pem"; - cert_file = "/var/vault/cert.pem"; - key_file = "/var/vault/key.pem"; - allow_unauthenticated = false; - create_from_role = "nomad-cluster"; - }; - consul = { - address = "10.55.0.2:4444"; - ssl = true; - allow_unauthenticated = false; - auto_advertise = true; - server_auto_join = true; - client_auto_join = true; - ca_file = "/var/certs/cert.pem"; - cert_file = "/var/vault/cert.pem"; - key_file = "/var/vault/key.pem"; - }; - acl = { - enabled = true; - }; - }; + dropPrivileges = false; + extraPackages = with pkgs; [ consul ]; + extraSettingsPaths = lib.singleton "/run/nomad/nomad.json"; }; vault = { package = pkgs.vault-bin; @@ -61,31 +133,11 @@ ui = true ''; }; + consul = { - enable = false; - webUi = true; - extraConfig = rec { - bootstrap = true; - log_level = "DEBUG"; - enable_syslog = true; - datacenter = "d1"; - bind_addr = "10.55.0.2"; - client_addr = bind_addr; - primary_datacenter = "d1"; - node_name = "Marisa"; - server = true; - connect = { - enabled = true; - }; - encrypt = "dXoYbVt1Rb1cTFTWVBGO6CaFIBmc90MPCjhqttBlXi0="; - ca_file = "/var/rootcert/cert.pem"; - cert_file = "/var/certs/cert.pem"; - key_file = "/var/certs/key.pem"; - ports = { - http = 4444; - grpc = 4445; - }; - }; + enable = true; + package = pkgs.master.consul; + extraConfigFiles = lib.singleton "/run/consul/consul.json"; }; vault-agent = { enable = true; @@ -117,6 +169,42 @@ ''; destination = "/var/secrets/wg.key"; } + { + source = pkgs.writeText "consul_marisa.tpl" '' + {{ with secret "kv/systems/Marisa/consul" }}{{ .Data.data.agentToken }}{{ end }} + ''; + destination = "/var/secrets/consul_marisa.token"; + } + { + source = pkgs.writeText "consul_bootstrap.tpl" '' + {{ with secret "kv/consul" }}{{ .Data.data.bootstrapToken }}{{ end }} + ''; + destination = "/var/secrets/consul_bootstrap.token"; + } + { + source = pkgs.writeText "consul_encryption.tpl" '' + {{ with secret "kv/consul" }}{{ .Data.data.encryptionKey }}{{ end }} + ''; + destination = "/var/secrets/consul_encryption.key"; + } + { + source = pkgs.writeText "nomad_vault.tpl" '' + {{ with secret "kv/nomad" }}{{ .Data.data.vaultToken }}{{ end }} + ''; + destination = "/var/secrets/nomad_vault.token"; + } + { + source = pkgs.writeText "nomad_vault.tpl" '' + {{ with secret "kv/nomad" }}{{ .Data.data.consulToken }}{{ end }} + ''; + destination = "/var/secrets/nomad_consul.token"; + } + { + source = pkgs.writeText "nomad_encryption.tpl" '' + {{ with secret "kv/nomad" }}{{ .Data.data.encryptionKey }}{{ end }} + ''; + destination = "/var/secrets/nomad_encryption.key"; + } ]; }; }; @@ -134,10 +222,16 @@ ''; }; gitea = { - enable = true; + enable = false; appName = "Natto Tea"; rootUrl = "https://git.weirdnatto.in/"; cookieSecure = true; + dump = { + enable = true; + backupDir = "/tmp/gitea"; + type = "tar.gz"; + file = "gitnigger"; + }; httpPort = 5001; database = rec { createDatabase = false; @@ -169,5 +263,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSQnDNrNP69tIK7U2D7qaMjycfIjpgx0at4U2D5Ufib" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5V/hdkTTQSkDLXaEwY8xb/T8+sWtw5c6UjYOPaTrO8" ]; - security.pki.certificateFiles = [ ../../cert.pem ]; + security.pki.certificateFiles = [ ../../cert.pem ../../consul-agent-ca.pem ]; + } + diff --git a/modules/min-pkgs.nix b/modules/min-pkgs.nix index 7b99a15..617c888 100755 --- a/modules/min-pkgs.nix +++ b/modules/min-pkgs.nix @@ -9,6 +9,8 @@ tree-sitter rnix-lsp nmap + gcc + fly ]; programs = {