2023-06-11 23:09:59 +02:00
|
|
|
{
|
2024-03-02 22:05:30 +01:00
|
|
|
inputs',
|
|
|
|
lib,
|
|
|
|
config,
|
|
|
|
pkgs,
|
|
|
|
secret,
|
|
|
|
...
|
|
|
|
}: let
|
|
|
|
inherit
|
|
|
|
(lib)
|
|
|
|
mkForce
|
|
|
|
singleton
|
|
|
|
;
|
|
|
|
in {
|
2023-06-11 23:09:59 +02:00
|
|
|
services.hashicorp.consul = {
|
|
|
|
enable = true;
|
2024-05-21 11:32:08 +02:00
|
|
|
package = pkgs.consul;
|
2023-06-11 23:09:59 +02:00
|
|
|
|
|
|
|
extraSettingsPaths = singleton "/run/secrets/consul.json";
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
datacenter = "do-1";
|
|
|
|
data_dir = "/var/lib/consul";
|
|
|
|
|
|
|
|
retry_join_wan = singleton (secret.network.ips.blowhole.ip or "");
|
|
|
|
|
|
|
|
server = true;
|
|
|
|
|
|
|
|
bind_addr = secret.network.ips.toothpick or "";
|
|
|
|
client_addr = secret.network.ips.toothpick or "";
|
|
|
|
|
|
|
|
primary_datacenter = "homelab-1";
|
|
|
|
|
|
|
|
acl = {
|
|
|
|
enabled = true;
|
|
|
|
default_policy = "deny";
|
|
|
|
enable_token_persistence = true;
|
|
|
|
enable_token_replication = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
ports = {
|
|
|
|
http = 8500;
|
|
|
|
grpc = 8502;
|
|
|
|
};
|
|
|
|
|
|
|
|
ui_config.enabled = true;
|
|
|
|
|
|
|
|
connect.enabled = true;
|
|
|
|
|
|
|
|
# ca_file = "/var/secrets/consul-ca.crt";
|
|
|
|
# cert_file = ""
|
|
|
|
# key_file = ""
|
|
|
|
verify_incoming = false;
|
|
|
|
verify_outgoing = false;
|
|
|
|
verify_server_hostname = false;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.hashicorp-consul.serviceConfig = {
|
|
|
|
LimitNOFILE = mkForce "infinity";
|
|
|
|
LimitNPROC = mkForce "infinity";
|
|
|
|
};
|
|
|
|
}
|