2022-07-31 11:03:59 +02:00
|
|
|
{inputs, lib, config, pkgs, secret, ...}:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
in
|
|
|
|
{
|
2023-03-06 00:30:29 +01:00
|
|
|
services.hashicorp.vault-agent = {
|
|
|
|
settings.template = singleton {
|
|
|
|
source = pkgs.writeText "consul.json.vtmpl"
|
|
|
|
''
|
|
|
|
{
|
|
|
|
"encrypt": "{{ with secret "kv/data/homelab-1/blowhole/consul/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}",
|
|
|
|
"acl": {
|
|
|
|
"tokens": {
|
|
|
|
"agent": "{{ with secret "kv/data/homelab-1/blowhole/consul/agent_token" }}{{ or .Data.data.secret "" }}{{ end }}",
|
|
|
|
"default": "{{ with secret "kv/data/homelab-1/blowhole/consul/anonymous_token" }}{{ or .Data.data.secret "" }}{{ end }}"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
destination = "/run/secrets/consul.json";
|
|
|
|
command = pkgs.writeShellScript "consul-command"
|
|
|
|
''
|
|
|
|
sudo systemctl try-reload-or-restart hashicorp-consul.service
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.hashicorp-consul.unitConfig = {
|
|
|
|
ConditionPathExists = "/run/secrets/consul.json";
|
|
|
|
};
|
|
|
|
|
2022-07-31 11:03:59 +02:00
|
|
|
services.hashicorp.consul = {
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
extraSettingsPaths =
|
|
|
|
[ "/run/secrets/consul.json"
|
|
|
|
];
|
2023-04-03 01:26:58 +02:00
|
|
|
package = inputs.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.consul;
|
2022-07-31 11:03:59 +02:00
|
|
|
|
|
|
|
settings = {
|
|
|
|
datacenter = "homelab-1";
|
|
|
|
data_dir = "/var/lib/consul";
|
|
|
|
log_level = "DEBUG";
|
|
|
|
|
|
|
|
server = true;
|
|
|
|
|
|
|
|
bind_addr = secret.network.ips.blowhole.ip;
|
|
|
|
client_addr = secret.network.ips.blowhole.ip;
|
|
|
|
|
|
|
|
primary_datacenter = "homelab-1";
|
|
|
|
|
|
|
|
acl = {
|
|
|
|
enabled = true;
|
|
|
|
default_policy = "deny";
|
|
|
|
enable_token_persistence = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
ports = {
|
|
|
|
http = 8500;
|
|
|
|
grpc = 8502;
|
|
|
|
};
|
|
|
|
|
|
|
|
connect = {
|
|
|
|
enabled = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
ca_file = "/var/secrets/consul-ca.crt";
|
|
|
|
# cert_file = ""
|
|
|
|
# key_file = ""
|
|
|
|
verify_incoming = false;
|
|
|
|
verify_outgoing = false;
|
|
|
|
verify_server_hostname = false;
|
|
|
|
|
|
|
|
ui_config.enabled = true;
|
|
|
|
domain = "consul.in.redalder.org";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.hashicorp-consul.serviceConfig = {
|
|
|
|
LimitNOFILE = mkForce "infinity";
|
|
|
|
LimitNPROC = mkForce "infinity";
|
|
|
|
};
|
|
|
|
}
|