natto1784/dotfiles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Marisa: try consul and nomad

Browse Source
This commit is contained in:
Amneesh Singh
2022-01-28 02:11:38 +05:30
parent 881512cf97
commit dd96dacbf7
6 changed files with 246 additions and 130 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
consul-agent-ca.pem Normal file
View File

@@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC7TCCApSgAwIBAgIRALFjjI2cjNlictQWYya1oKkwCgYIKoZIzj0EAwIwgbkx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB
IDIzNTc5MDI0MzM5OTg5MDQyMDkwMDc4NzE2NTg4MzY1NjQxMzM1MzAeFw0yMjAx
MjIwNTM3MTNaFw0yNzAxMjEwNTM3MTNaMIG5MQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAkTETEwMSBTZWNv
bmQgU3RyZWV0MQ4wDAYDVQQREwU5NDEwNTEXMBUGA1UEChMOSGFzaGlDb3JwIElu
Yy4xQDA+BgNVBAMTN0NvbnN1bCBBZ2VudCBDQSAyMzU3OTAyNDMzOTk4OTA0MjA5
MDA3ODcxNjU4ODM2NTY0MTMzNTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7
/XOebThO8wdSVCE42mrvl5emMofZkzlRJ81BJacp9ZsenkW66U2QWhCJ/o8iXFcI
O7hCQVOqSKHV800q1j95o3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUw
AwEB/zApBgNVHQ4EIgQgp5evx9TUR9LT7R8sm+OhNWTLPqwwADMIeY8Th59ICX0w
KwYDVR0jBCQwIoAgp5evx9TUR9LT7R8sm+OhNWTLPqwwADMIeY8Th59ICX0wCgYI
KoZIzj0EAwIDRwAwRAIgF7XqHjWG7MlzHfPkkonfn/WyzD2HNg3y/hvnjlPY6q4C
ICQS82jw2Rw9qhd3lsOL5xiJV0aC+NzOPAZ1MbFf+h9z
-----END CERTIFICATE-----

126
flake.lock generated
View File

@@ -5,11 +5,11 @@
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
}, },
"locked": { "locked": {
"lastModified": 1640802000, "lastModified": 1641576265,
"narHash": "sha256-ZiI94Zv/IgW64fqKrtVaQqfUCkn9STvAjgfFmvtqcQ8=", "narHash": "sha256-G4W39k5hdu2kS13pi/RhyTOySAo7rmrs7yMUZRH0OZI=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "c5558c88b2941bf94886dfdede6926b1ba5f5629", "rev": "08b9c96878b2f9974fc8bde048273265ad632357",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -36,11 +36,11 @@
}, },
"emacs": { "emacs": {
"locked": { "locked": {
"lastModified": 1641149178, "lastModified": 1642907001,
"narHash": "sha256-Mt+oT5YZ6G9zHctDKV5pY+3vIdsMmAg0HMvz6rxsIc0=", "narHash": "sha256-Basy/QPtDPt5AiEz0QZnAn0aZgPyFCHPJZPAy1TRD/I=",
"owner": "nix-community", "owner": "nix-community",
"repo": "emacs-overlay", "repo": "emacs-overlay",
"rev": "f3c435a5e5cfa3ce1b2f50ba37b9cacfec4139d9", "rev": "bed8ed5a6d51db297253c45b2c866fc33854db9f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -52,11 +52,11 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1627913399, "lastModified": 1641205782,
"narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=", "narHash": "sha256-4jY7RCWUoZ9cKD8co0/4tFARpWB+57+r1bLLvXNJliY=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2", "rev": "b7547d3eed6f32d06102ead8991ec52ab0a4f1a7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -67,11 +67,11 @@
}, },
"flake-utils": { "flake-utils": {
"locked": { "locked": {
"lastModified": 1634851050, "lastModified": 1638122382,
"narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=", "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "c91f3de5adaf1de973b797ef7485e441a65b8935", "rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -115,11 +115,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1641121012, "lastModified": 1642882610,
"narHash": "sha256-svaOMxNMQgFHjcxdmLojOxTxfqSENtnO+S3kb+npIwY=", "narHash": "sha256-pmdgeJ9v6y+T0UfNQ/Z+Hdv5tPshFFra5JLF/byUA/Y=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "8e7a10602d1eb1d242c9d3f9b822203d5751a8c6", "rev": "c47c350f6518ed39c2a16e4fadf9137b6c559ddc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -133,11 +133,11 @@
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1639871969, "lastModified": 1642653493,
"narHash": "sha256-6feWUnMygRzA9tzkrfAzpA5/NBYg75bkFxnqb1DtD7E=", "narHash": "sha256-22mGPjiHUo2Jmze4IjXCJLjeK2mbvvCztHmUyUMr4yw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "697cc8c68ed6a606296efbbe9614c32537078756", "rev": "28b9ae40c45c5e7711c353fee1b7af734e293979",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -171,11 +171,11 @@
}, },
"master": { "master": {
"locked": { "locked": {
"lastModified": 1641155364, "lastModified": 1642909347,
"narHash": "sha256-7OXbMNAVeO5Yn916tADri1UIzl5bU27PjIDSLZB4G9A=", "narHash": "sha256-S6yg5kwTsyhEmq44cKGtA8jy9Z21Hq6m2IIz6XoqJNE=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "03985162cf0d012b5ebdad5271c26e0cfacd1aa2", "rev": "22eff4f912947a7db3c07e5b319e211c33e39957",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -212,11 +212,11 @@
}, },
"locked": { "locked": {
"dir": "contrib", "dir": "contrib",
"lastModified": 1641106516, "lastModified": 1642784680,
"narHash": "sha256-zx9GDn7rXvqvrQaRiop7Xx8qqSt3FPppVcShmneSqHs=", "narHash": "sha256-nU4vyFC0BYzv47McYsNJYDu/8ttPgPHTmowueukxpoA=",
"owner": "neovim", "owner": "neovim",
"repo": "neovim", "repo": "neovim",
"rev": "e42c9065972f93e4666fbd8e06fc56333e9e5d24", "rev": "e07a4b97f6552674f6038d15c0767bbfea082bf2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -232,11 +232,11 @@
"utils": "utils_3" "utils": "utils_3"
}, },
"locked": { "locked": {
"lastModified": 1640904492, "lastModified": 1642719993,
"narHash": "sha256-KrFdQl9sRxfkA18OnfY10+wvcRsExEjl0HHUQH2Di8E=", "narHash": "sha256-osCgh6MHvhwS30591CEwQ15KKtRWb73xY3Y0x3ZqpxE=",
"owner": "fufexan", "owner": "fufexan",
"repo": "nix-gaming", "repo": "nix-gaming",
"rev": "57f79e1181805df1ec1c6336dca40aee9671cee0", "rev": "e935a8490bd218fe48ed89737c91d33fdf82ec29",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -306,11 +306,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1641104204, "lastModified": 1642819963,
"narHash": "sha256-mCjEJNKaeS/BhQQFNSxHfA0/XtujbTAAJpustt1hIxI=", "narHash": "sha256-pfd+ZKHj88jHtnRbLP/+uj3qNUjrkrQGRp9w3YKDzeQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "28d58b979250ef33f049fe1c74daa50b7515126b", "rev": "6631973f4502938ccfc75fe8b9d0a3259080d82d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -320,11 +320,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1641104204, "lastModified": 1642819963,
"narHash": "sha256-mCjEJNKaeS/BhQQFNSxHfA0/XtujbTAAJpustt1hIxI=", "narHash": "sha256-pfd+ZKHj88jHtnRbLP/+uj3qNUjrkrQGRp9w3YKDzeQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "28d58b979250ef33f049fe1c74daa50b7515126b", "rev": "6631973f4502938ccfc75fe8b9d0a3259080d82d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -365,11 +365,11 @@
}, },
"nixpkgs_6": { "nixpkgs_6": {
"locked": { "locked": {
"lastModified": 1637579689, "lastModified": 1642265851,
"narHash": "sha256-w9jJ0l9TgSeoMRQZOk+9EqWcNSsOvqcvS3mj067M7II=", "narHash": "sha256-6J2paKHuQKhaBJNVf7k1NI9pqiMiAlkgt0x7obFtQ70=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "108f913823dc1977b57e34bf86818c08fad8536d", "rev": "60dec7aa319dc620cd77ecae8ce48f5374450452",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -380,11 +380,11 @@
}, },
"nixpkgs_7": { "nixpkgs_7": {
"locked": { "locked": {
"lastModified": 1641104204, "lastModified": 1642819963,
"narHash": "sha256-mCjEJNKaeS/BhQQFNSxHfA0/XtujbTAAJpustt1hIxI=", "narHash": "sha256-pfd+ZKHj88jHtnRbLP/+uj3qNUjrkrQGRp9w3YKDzeQ=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "28d58b979250ef33f049fe1c74daa50b7515126b", "rev": "6631973f4502938ccfc75fe8b9d0a3259080d82d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -396,11 +396,11 @@
}, },
"nixpkgs_8": { "nixpkgs_8": {
"locked": { "locked": {
"lastModified": 1640959792, "lastModified": 1642814535,
"narHash": "sha256-zYSR//06FU2TDOpKKj0Hkff6unsxk3NwwNFuB1loU6E=", "narHash": "sha256-FKX6vDo4MeE/QpWvCrPFQBkwzj2zYxUR5QR/9RTSFEo=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "59bfda72480496f32787cec8c557182738b1bd3f", "rev": "fc4148a47fa927319186061aa42633c8aa5777f1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -412,11 +412,11 @@
}, },
"nixpkgs_9": { "nixpkgs_9": {
"locked": { "locked": {
"lastModified": 1640871638, "lastModified": 1642635915,
"narHash": "sha256-ty6sGnJUQEkCd43At5U3DRQZD7rPARz5VginSW6hZ3k=", "narHash": "sha256-vabPA32j81xBO5m3+qXndWp5aqepe+vu96Wkd9UnngM=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5b091d4fbe3b7b7493c3b46fe0842e4b30ea24b3", "rev": "6d8215281b2f87a5af9ed7425a26ac575da0438f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -428,11 +428,11 @@
}, },
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1641155785, "lastModified": 1642906509,
"narHash": "sha256-QDnIQ7sfawBaQckDTIQqsSevftrJpxluQUhzX0goWg4=", "narHash": "sha256-W4H8jx1yTFyVWzSwsmfZs3Zx4LElhK/JL+vlBmSTt48=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "9dc87bdd533db31f14bd5fdc4f7fb6aab6a40056", "rev": "5583de315930c2b73c8491607fb80ab0689a014f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -448,11 +448,11 @@
"nixpkgs": "nixpkgs_9" "nixpkgs": "nixpkgs_9"
}, },
"locked": { "locked": {
"lastModified": 1641111239, "lastModified": 1642839161,
"narHash": "sha256-w1jUAuVmImMQGhaUY8dNVAxE4SNULI32RqyRX6DXzBo=", "narHash": "sha256-d2DVBjVh9cA6MWAXs+ayUncmY2VnXSLwIS2o9EnIZeQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "neovim-nightly-overlay", "repo": "neovim-nightly-overlay",
"rev": "5906176ea9464d9a33c229b124fd713584bcfa57", "rev": "ca9465259e268b343b9875b17fd3a97a1c72c242",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -485,11 +485,11 @@
"nixpkgs": "nixpkgs_10" "nixpkgs": "nixpkgs_10"
}, },
"locked": { "locked": {
"lastModified": 1641091280, "lastModified": 1642838864,
"narHash": "sha256-atemDjUQXazv/VQvEb7VC6JQ6oe2n7D2r/09qRsbthc=", "narHash": "sha256-pHnhm3HWwtvtOK7NdNHwERih3PgNlacrfeDwachIG8E=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "13b6bd69cd0ecf985fba18105a23464c5e76b24a", "rev": "9fb49daf1bbe1d91e6c837706c481f9ebb3d8097",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -500,11 +500,11 @@
}, },
"stable": { "stable": {
"locked": { "locked": {
"lastModified": 1641046839, "lastModified": 1642798845,
"narHash": "sha256-9XJgfDKU1hhC0E16FxDJe//Utrm79AQxesPhTltwjQ4=", "narHash": "sha256-1g1X3wKmroGix68OXwb4gR1yXKPQ36apI1dssd/YbuM=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d1e59cfc49961e121583abe32e2f3db1550fbcff", "rev": "e84444b14cc75a4be17b58fd2c344f47dddf084e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -549,11 +549,11 @@
"flake-utils": "flake-utils" "flake-utils": "flake-utils"
}, },
"locked": { "locked": {
"lastModified": 1636270960, "lastModified": 1639385028,
"narHash": "sha256-5M3ytlFl9q6up8twhJ63JE2A5igrHR94YsHTOmKzHwA=", "narHash": "sha256-oqorKz3mwf7UuDJwlbCEYCB2LfcWLL0DkeCWhRIL820=",
"owner": "gytis-ivaskevicius", "owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus", "repo": "flake-utils-plus",
"rev": "e22fcd75da49c122ec7a0e30785e3edf2f69cfe7", "rev": "be1be083af014720c14f3b574f57b6173b4915d0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -564,11 +564,11 @@
}, },
"utils_4": { "utils_4": {
"locked": { "locked": {
"lastModified": 1638122382, "lastModified": 1642700792,
"narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", "narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "74f7e4319258e287b0f9cb95426c9853b282730b", "rev": "846b2ae0fc4cc943637d3d1def4454213e203cba",
"type": "github" "type": "github"
}, },
"original": { "original": {

2
hosts/marisa/boot.nix
View File

@@ -4,7 +4,7 @@
initrd.availableKernelModules = [ "xhci_pci" "usb_storage" "usbhid" "uas" "pcie-brcmstb"]; initrd.availableKernelModules = [ "xhci_pci" "usb_storage" "usbhid" "uas" "pcie-brcmstb"];
loader = { loader = {
grub.enable = false; grub.enable = false;
generic-extlinux-compatible.enable= true; # generic-extlinux-compatible.enable= true;
raspberryPi= { raspberryPi= {
version = 4; version = 4;
firmwareConfig = "dtparam=sd_poll_once=on"; firmwareConfig = "dtparam=sd_poll_once=on";

2
hosts/marisa/networking.nix
View File

@@ -3,7 +3,7 @@
networking = { networking = {
hostName = "Marisa"; hostName = "Marisa";
firewall = { firewall = {
allowedTCPPorts = [ 22 80 6060 5001 8800 8888 4444 4445 4646 ]; allowedTCPPorts = [ 22 80 6060 5001 8800 8888 4444 4646 8500 8080 ];
allowedUDPPorts = [ 17840 ]; allowedUDPPorts = [ 17840 ];
}; };
wireless = { wireless = {

226
hosts/marisa/services.nix
View File

@@ -1,52 +1,124 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
{ {
# Add secrets to conul and nomad configs
systemd.services.consul.preStart =
let
originalCfg = pkgs.writeText "consulConfiguration.json" (builtins.toJSON rec {
data_dir = "/var/lib/consul";
ui_config = {
enabled = true;
};
bootstrap = true;
log_level = "DEBUG";
enable_syslog = true;
datacenter = "dc1";
bind_addr = "10.55.0.2";
client_addr = bind_addr;
primary_datacenter = "dc1";
node_name = "Marisa";
acl = {
enabled = true;
default_policy = "deny";
tokens = {
agent = "+++consul_marisa+++";
};
};
server = true;
connect = {
enabled = true;
};
ports = {
grpc = 8502;
};
encrypt = "+++consul_encryption+++";
ca_file = "/var/consul-certs/consul-agent-ca.pem";
cert_file = "/var/consul-certs/dc1-server-consul-0.pem";
key_file = "/var/consul-certs/dc1-server-consul-0-key.pem";
});
in
lib.mkForce ''
mkdir -p /run/consul
sed -e 's,+++consul_encryption+++,'"$(cat /var/secrets/consul_encryption.key)"',' \
-e 's,+++consul_marisa+++,'"$(cat /var/secrets/consul_marisa.token)"',' \
${originalCfg} > /run/consul/consul.json
'';
systemd.services.nomad.after = [ "consul.service" ]; systemd.services.nomad.after = [ "consul.service" ];
systemd.services.nomad.preStart =
let
originalCfg = pkgs.writeText "nomadConfiguration.json"
(builtins.toJSON rec {
bind_addr = "0.0.0.0";
data_dir = "/var/lib/nomad";
disable_update_check = true;
datacenter = "n1";
log_file = "/var/log/nomad/nomad.log";
server = {
enabled = true;
encrypt = "+++nomad_encryption+++";
};
plugin."docker" = {
config = {
allow_privileged = true;
volumes.enabled = true;
pull_activity_timeout = "30m";
};
};
client = {
options = {
"docker.privileged.enabled" = true;
"docker.volumes.enabled" = true;
};
enabled = true;
cni_path = "${pkgs.cni-plugins}/bin";
};
vault = {
enabled = true;
token = "+++nomad_vault+++";
address = "https://10.55.0.2:8800";
ca_file = "/var/rootcert/cert.pem";
cert_file = "/var/certs/cert.pem";
key_file = "/var/certs/key.pem";
allow_unauthenticated = false;
create_from_role = "nomad-cluster";
};
consul = {
address = "10.55.0.2:8500";
token = "+++nomad_consul+++";
ssl = false;
allow_unauthenticated = false;
ca_file = "/var/consul-certs/consul-agent-ca.pem";
cert_file = "/var/consul-certs/dc1-server-consul-0.pem";
key_file = "/var/consul-certs/dc1-server-consul-0-key.pem";
auto_advertise = true;
server_auto_join = true;
client_auto_join = true;
};
acl = {
enabled = true;
};
});
in
''
mkdir -p /run/nomad
sed -e 's,+++nomad_encryption+++,'"$(cat /var/secrets/nomad_encryption.key)"',' \
-e 's,+++nomad_consul+++,'"$(cat /var/secrets/nomad_consul.token)"',' \
-e 's,+++nomad_vault+++,'"$(cat /var/secrets/nomad_vault.token)"',' \
${originalCfg} > /run/nomad/nomad.json
'';
services = { services = {
openssh = { openssh = {
enable = true; enable = true;
permitRootLogin = "yes"; permitRootLogin = "yes";
}; };
nomad = { nomad = {
enable = false; package = pkgs.master.nomad;
enable = true;
enableDocker = true; enableDocker = true;
settings = { dropPrivileges = false;
bind_addr = "0.0.0.0"; extraPackages = with pkgs; [ consul ];
data_dir = "/var/lib/nomad"; extraSettingsPaths = lib.singleton "/run/nomad/nomad.json";
datacenter = "n1";
log_file = "/var/log/nomad/nomad.log";
server = {
enabled = true;
bootstrap_expect = 1;
encrypt = "nY1vuN+1ecJkwJu0s2x6Ge6UX/txvTxVqNrDMqruMlg=";
};
client = {
enabled = true;
};
vault = {
enabled = true;
token = "s.WaNfk6ZISRbwsEx43UokG3HU";
address = "https://10.55.0.2:8800";
ca_file = "/var/rootcert/cert.pem";
cert_file = "/var/vault/cert.pem";
key_file = "/var/vault/key.pem";
allow_unauthenticated = false;
create_from_role = "nomad-cluster";
};
consul = {
address = "10.55.0.2:4444";
ssl = true;
allow_unauthenticated = false;
auto_advertise = true;
server_auto_join = true;
client_auto_join = true;
ca_file = "/var/certs/cert.pem";
cert_file = "/var/vault/cert.pem";
key_file = "/var/vault/key.pem";
};
acl = {
enabled = true;
};
};
}; };
vault = { vault = {
package = pkgs.vault-bin; package = pkgs.vault-bin;
@@ -61,31 +133,11 @@
ui = true ui = true
''; '';
}; };
consul = { consul = {
enable = false; enable = true;
webUi = true; package = pkgs.master.consul;
extraConfig = rec { extraConfigFiles = lib.singleton "/run/consul/consul.json";
bootstrap = true;
log_level = "DEBUG";
enable_syslog = true;
datacenter = "d1";
bind_addr = "10.55.0.2";
client_addr = bind_addr;
primary_datacenter = "d1";
node_name = "Marisa";
server = true;
connect = {
enabled = true;
};
encrypt = "dXoYbVt1Rb1cTFTWVBGO6CaFIBmc90MPCjhqttBlXi0=";
ca_file = "/var/rootcert/cert.pem";
cert_file = "/var/certs/cert.pem";
key_file = "/var/certs/key.pem";
ports = {
http = 4444;
grpc = 4445;
};
};
}; };
vault-agent = { vault-agent = {
enable = true; enable = true;
@@ -117,6 +169,42 @@
''; '';
destination = "/var/secrets/wg.key"; destination = "/var/secrets/wg.key";
} }
{
source = pkgs.writeText "consul_marisa.tpl" ''
{{ with secret "kv/systems/Marisa/consul" }}{{ .Data.data.agentToken }}{{ end }}
'';
destination = "/var/secrets/consul_marisa.token";
}
{
source = pkgs.writeText "consul_bootstrap.tpl" ''
{{ with secret "kv/consul" }}{{ .Data.data.bootstrapToken }}{{ end }}
'';
destination = "/var/secrets/consul_bootstrap.token";
}
{
source = pkgs.writeText "consul_encryption.tpl" ''
{{ with secret "kv/consul" }}{{ .Data.data.encryptionKey }}{{ end }}
'';
destination = "/var/secrets/consul_encryption.key";
}
{
source = pkgs.writeText "nomad_vault.tpl" ''
{{ with secret "kv/nomad" }}{{ .Data.data.vaultToken }}{{ end }}
'';
destination = "/var/secrets/nomad_vault.token";
}
{
source = pkgs.writeText "nomad_vault.tpl" ''
{{ with secret "kv/nomad" }}{{ .Data.data.consulToken }}{{ end }}
'';
destination = "/var/secrets/nomad_consul.token";
}
{
source = pkgs.writeText "nomad_encryption.tpl" ''
{{ with secret "kv/nomad" }}{{ .Data.data.encryptionKey }}{{ end }}
'';
destination = "/var/secrets/nomad_encryption.key";
}
]; ];
}; };
}; };
@@ -134,10 +222,16 @@
''; '';
}; };
gitea = { gitea = {
enable = true; enable = false;
appName = "Natto Tea"; appName = "Natto Tea";
rootUrl = "https://git.weirdnatto.in/"; rootUrl = "https://git.weirdnatto.in/";
cookieSecure = true; cookieSecure = true;
dump = {
enable = true;
backupDir = "/tmp/gitea";
type = "tar.gz";
file = "gitnigger";
};
httpPort = 5001; httpPort = 5001;
database = rec { database = rec {
createDatabase = false; createDatabase = false;
@@ -169,5 +263,7 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSQnDNrNP69tIK7U2D7qaMjycfIjpgx0at4U2D5Ufib" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSQnDNrNP69tIK7U2D7qaMjycfIjpgx0at4U2D5Ufib"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5V/hdkTTQSkDLXaEwY8xb/T8+sWtw5c6UjYOPaTrO8" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5V/hdkTTQSkDLXaEwY8xb/T8+sWtw5c6UjYOPaTrO8"
]; ];
security.pki.certificateFiles = [ ../../cert.pem ]; security.pki.certificateFiles = [ ../../cert.pem ../../consul-agent-ca.pem ];
} }

2
modules/min-pkgs.nix
View File

@@ -9,6 +9,8 @@
tree-sitter tree-sitter
rnix-lsp rnix-lsp
nmap nmap
gcc
fly
]; ];
programs = { programs = {