{inputs', lib, config, pkgs, secret, ...}: let inherit (lib) singleton mkForce; in { services.hashicorp.vault-agent = { settings.template = singleton { source = pkgs.writeText "consul.json.vtmpl" '' { "encrypt": "{{ with secret "kv/data/homelab-1/blowhole/consul/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}", "acl": { "tokens": { "agent": "{{ with secret "kv/data/homelab-1/blowhole/consul/agent_token" }}{{ or .Data.data.secret "" }}{{ end }}", "default": "{{ with secret "kv/data/homelab-1/blowhole/consul/anonymous_token" }}{{ or .Data.data.secret "" }}{{ end }}" } } } ''; destination = "/run/secrets/consul.json"; command = pkgs.writeShellScript "consul-command" '' sudo systemctl try-reload-or-restart hashicorp-consul.service ''; }; }; systemd.services."hashicorp-consul" = { requires = [ "vault-unsealed.service" ]; after = [ "vault-unsealed.service" ]; }; services.hashicorp.consul = { enable = true; extraSettingsPaths = singleton "/run/secrets/consul.json"; package = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.consul; settings = { datacenter = "homelab-1"; data_dir = "/var/lib/consul"; log_level = "INFO"; server = true; bind_addr = secret.network.ips.blowhole.ip or ""; client_addr = secret.network.ips.blowhole.ip or ""; primary_datacenter = "homelab-1"; acl = { enabled = true; default_policy = "deny"; enable_token_persistence = true; }; ports = { http = 8500; grpc = 8502; }; connect.enabled = true; ca_file = "/var/secrets/consul-ca.crt"; # cert_file = "" # key_file = "" verify_incoming = false; verify_outgoing = false; verify_server_hostname = false; ui_config.enabled = true; domain = "consul.in.redalder.org"; }; }; systemd.services.hashicorp-consul.serviceConfig = { LimitNOFILE = mkForce "infinity"; LimitNPROC = mkForce "infinity"; }; }