natto1784/dotfiles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Marisa: try consul and nomad

Browse Source
This commit is contained in:
Amneesh Singh
2022-01-28 02:11:38 +05:30
parent 881512cf97
commit dd96dacbf7
6 changed files with 246 additions and 130 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/marisa/boot.nix
View File

@@ -4,7 +4,7 @@
initrd.availableKernelModules = [ "xhci_pci" "usb_storage" "usbhid" "uas" "pcie-brcmstb"];
loader = {
grub.enable = false;
generic-extlinux-compatible.enable= true;
# generic-extlinux-compatible.enable= true;
raspberryPi= {
version = 4;
firmwareConfig = "dtparam=sd_poll_once=on";

2
hosts/marisa/networking.nix
View File

@@ -3,7 +3,7 @@
networking = {
hostName = "Marisa";
firewall = {
allowedTCPPorts = [ 22 80 6060 5001 8800 8888 4444 4445 4646 ];
allowedTCPPorts = [ 22 80 6060 5001 8800 8888 4444 4646 8500 8080 ];
allowedUDPPorts = [ 17840 ];
};
wireless = {

226
hosts/marisa/services.nix
View File

@@ -1,52 +1,124 @@
{ lib, config, pkgs, ... }:
{
# Add secrets to conul and nomad configs
systemd.services.consul.preStart =
let
originalCfg = pkgs.writeText "consulConfiguration.json" (builtins.toJSON rec {
data_dir = "/var/lib/consul";
ui_config = {
enabled = true;
};
bootstrap = true;
log_level = "DEBUG";
enable_syslog = true;
datacenter = "dc1";
bind_addr = "10.55.0.2";
client_addr = bind_addr;
primary_datacenter = "dc1";
node_name = "Marisa";
acl = {
enabled = true;
default_policy = "deny";
tokens = {
agent = "+++consul_marisa+++";
};
};
server = true;
connect = {
enabled = true;
};
ports = {
grpc = 8502;
};
encrypt = "+++consul_encryption+++";
ca_file = "/var/consul-certs/consul-agent-ca.pem";
cert_file = "/var/consul-certs/dc1-server-consul-0.pem";
key_file = "/var/consul-certs/dc1-server-consul-0-key.pem";
});
in
lib.mkForce ''
mkdir -p /run/consul
sed -e 's,+++consul_encryption+++,'"$(cat /var/secrets/consul_encryption.key)"',' \
-e 's,+++consul_marisa+++,'"$(cat /var/secrets/consul_marisa.token)"',' \
${originalCfg} > /run/consul/consul.json
'';
systemd.services.nomad.after = [ "consul.service" ];
systemd.services.nomad.preStart =
let
originalCfg = pkgs.writeText "nomadConfiguration.json"
(builtins.toJSON rec {
bind_addr = "0.0.0.0";
data_dir = "/var/lib/nomad";
disable_update_check = true;
datacenter = "n1";
log_file = "/var/log/nomad/nomad.log";
server = {
enabled = true;
encrypt = "+++nomad_encryption+++";
};
plugin."docker" = {
config = {
allow_privileged = true;
volumes.enabled = true;
pull_activity_timeout = "30m";
};
};
client = {
options = {
"docker.privileged.enabled" = true;
"docker.volumes.enabled" = true;
};
enabled = true;
cni_path = "${pkgs.cni-plugins}/bin";
};
vault = {
enabled = true;
token = "+++nomad_vault+++";
address = "https://10.55.0.2:8800";
ca_file = "/var/rootcert/cert.pem";
cert_file = "/var/certs/cert.pem";
key_file = "/var/certs/key.pem";
allow_unauthenticated = false;
create_from_role = "nomad-cluster";
};
consul = {
address = "10.55.0.2:8500";
token = "+++nomad_consul+++";
ssl = false;
allow_unauthenticated = false;
ca_file = "/var/consul-certs/consul-agent-ca.pem";
cert_file = "/var/consul-certs/dc1-server-consul-0.pem";
key_file = "/var/consul-certs/dc1-server-consul-0-key.pem";
auto_advertise = true;
server_auto_join = true;
client_auto_join = true;
};
acl = {
enabled = true;
};
});
in
''
mkdir -p /run/nomad
sed -e 's,+++nomad_encryption+++,'"$(cat /var/secrets/nomad_encryption.key)"',' \
-e 's,+++nomad_consul+++,'"$(cat /var/secrets/nomad_consul.token)"',' \
-e 's,+++nomad_vault+++,'"$(cat /var/secrets/nomad_vault.token)"',' \
${originalCfg} > /run/nomad/nomad.json
'';
services = {
openssh = {
enable = true;
permitRootLogin = "yes";
};
nomad = {
enable = false;
package = pkgs.master.nomad;
enable = true;
enableDocker = true;
settings = {
bind_addr = "0.0.0.0";
data_dir = "/var/lib/nomad";
datacenter = "n1";
log_file = "/var/log/nomad/nomad.log";
server = {
enabled = true;
bootstrap_expect = 1;
encrypt = "nY1vuN+1ecJkwJu0s2x6Ge6UX/txvTxVqNrDMqruMlg=";
};
client = {
enabled = true;
};
vault = {
enabled = true;
token = "s.WaNfk6ZISRbwsEx43UokG3HU";
address = "https://10.55.0.2:8800";
ca_file = "/var/rootcert/cert.pem";
cert_file = "/var/vault/cert.pem";
key_file = "/var/vault/key.pem";
allow_unauthenticated = false;
create_from_role = "nomad-cluster";
};
consul = {
address = "10.55.0.2:4444";
ssl = true;
allow_unauthenticated = false;
auto_advertise = true;
server_auto_join = true;
client_auto_join = true;
ca_file = "/var/certs/cert.pem";
cert_file = "/var/vault/cert.pem";
key_file = "/var/vault/key.pem";
};
acl = {
enabled = true;
};
};
dropPrivileges = false;
extraPackages = with pkgs; [ consul ];
extraSettingsPaths = lib.singleton "/run/nomad/nomad.json";
};
vault = {
package = pkgs.vault-bin;
@@ -61,31 +133,11 @@
ui = true
'';
};
consul = {
enable = false;
webUi = true;
extraConfig = rec {
bootstrap = true;
log_level = "DEBUG";
enable_syslog = true;
datacenter = "d1";
bind_addr = "10.55.0.2";
client_addr = bind_addr;
primary_datacenter = "d1";
node_name = "Marisa";
server = true;
connect = {
enabled = true;
};
encrypt = "dXoYbVt1Rb1cTFTWVBGO6CaFIBmc90MPCjhqttBlXi0=";
ca_file = "/var/rootcert/cert.pem";
cert_file = "/var/certs/cert.pem";
key_file = "/var/certs/key.pem";
ports = {
http = 4444;
grpc = 4445;
};
};
enable = true;
package = pkgs.master.consul;
extraConfigFiles = lib.singleton "/run/consul/consul.json";
};
vault-agent = {
enable = true;
@@ -117,6 +169,42 @@
'';
destination = "/var/secrets/wg.key";
}
{
source = pkgs.writeText "consul_marisa.tpl" ''
{{ with secret "kv/systems/Marisa/consul" }}{{ .Data.data.agentToken }}{{ end }}
'';
destination = "/var/secrets/consul_marisa.token";
}
{
source = pkgs.writeText "consul_bootstrap.tpl" ''
{{ with secret "kv/consul" }}{{ .Data.data.bootstrapToken }}{{ end }}
'';
destination = "/var/secrets/consul_bootstrap.token";
}
{
source = pkgs.writeText "consul_encryption.tpl" ''
{{ with secret "kv/consul" }}{{ .Data.data.encryptionKey }}{{ end }}
'';
destination = "/var/secrets/consul_encryption.key";
}
{
source = pkgs.writeText "nomad_vault.tpl" ''
{{ with secret "kv/nomad" }}{{ .Data.data.vaultToken }}{{ end }}
'';
destination = "/var/secrets/nomad_vault.token";
}
{
source = pkgs.writeText "nomad_vault.tpl" ''
{{ with secret "kv/nomad" }}{{ .Data.data.consulToken }}{{ end }}
'';
destination = "/var/secrets/nomad_consul.token";
}
{
source = pkgs.writeText "nomad_encryption.tpl" ''
{{ with secret "kv/nomad" }}{{ .Data.data.encryptionKey }}{{ end }}
'';
destination = "/var/secrets/nomad_encryption.key";
}
];
};
};
@@ -134,10 +222,16 @@
'';
};
gitea = {
enable = true;
enable = false;
appName = "Natto Tea";
rootUrl = "https://git.weirdnatto.in/";
cookieSecure = true;
dump = {
enable = true;
backupDir = "/tmp/gitea";
type = "tar.gz";
file = "gitnigger";
};
httpPort = 5001;
database = rec {
createDatabase = false;
@@ -169,5 +263,7 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSQnDNrNP69tIK7U2D7qaMjycfIjpgx0at4U2D5Ufib"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5V/hdkTTQSkDLXaEwY8xb/T8+sWtw5c6UjYOPaTrO8"
];
security.pki.certificateFiles = [ ../../cert.pem ];
security.pki.certificateFiles = [ ../../cert.pem ../../consul-agent-ca.pem ];
}