dotfiles/nixos/systems/toothpick/nomad.nix

140 lines
3 KiB
Nix
Raw Normal View History

{
lib,
config,
config',
pkgs,
pkgs-hashicorp,
inputs',
secret,
...
}: {
services.hashicorp.nomad = {
enable = true;
extraPackages = with pkgs; [
coreutils
iproute2
iptables
consul
glibc
config.nix.package
git
];
extraSettingsPaths = [
"/run/secrets/nomad.json"
];
package = pkgs-hashicorp.nomad_1_5.overrideAttrs (old: {
patches = with config'.flake.patches; [
hashicorp-nomad.revert-change-consul-si-tokens-to-be-local
hashicorp-nomad.add-nix-integration
];
});
settings = {
server.enabled = true;
tls = {
# http = false # true
# rpc = true
# ca_file = "nomad-ca.pem"
# cert_file = "client.pem"
# key_file = "client-key.pem"
# verify_server_hostname = true
# verify_https_client = true
};
vault = {
enabled = true;
address = "https://${secret.network.ips.vault.dns or ""}:8200";
allow_unauthenticated = true;
create_from_role = "nomad-cluster";
};
consul = {
address = "${secret.network.ips.toothpick or ""}:8500";
auto_advertise = true;
server_auto_join = true;
client_auto_join = true;
};
acl.enabled = true;
client = {
cni_path = "${pkgs.cni-plugins}/bin";
options = {
"docker.privileged.enabled" = "true";
};
host_network."default" = {
cidr = secret.network.ips.toothpick or "" + "/32";
};
host_network."private" = {
cidr = secret.network.ips.toothpick or "" + "/32";
};
host_network."mesh" = {
cidr = secret.network.ips.toothpick or "" + "/32";
};
network_interface = "wg0";
host_network."public" = {
cidr = "64.225.104.221/32";
reserved_ports = "22";
};
enabled = true;
};
plugin."docker" = {
config = {
allow_caps = [
"CHOWN"
"DAC_OVERRIDE"
"FSETID"
"FOWNER"
"MKNOD"
"NET_RAW"
"SETGID"
"SETUID"
"SETFCAP"
"SETPCAP"
"NET_BIND_SERVICE"
"SYS_CHROOT"
"KILL"
"AUDIT_WRITE"
"SYS_ADMIN"
];
allow_privileged = true;
extra_labels = [
"job_name"
"job_id"
"task_group_name"
"task_name"
"namespace"
"node_name"
"node_id"
];
};
};
bind_addr = secret.network.ips.toothpick or "";
disable_update_check = true;
data_dir = "/var/lib/nomad";
server.authoritative_region = "homelab-1";
datacenter = "do-1";
region = "do-1";
};
};
virtualisation.docker.enable = true;
virtualisation.docker.daemon.settings.dns = [
(secret.network.ips.blowhole.ip or "")
];
}