{inputs, lib, config, pkgs, secret, ...}: with lib; let in { services.hashicorp.vault-agent = { settings.template = singleton { source = pkgs.writeText "consul.json.vtmpl" '' { "encrypt": "{{ with secret "kv/data/homelab-1/blowhole/consul/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}", "acl": { "tokens": { "agent": "{{ with secret "kv/data/homelab-1/blowhole/consul/agent_token" }}{{ or .Data.data.secret "" }}{{ end }}", "default": "{{ with secret "kv/data/homelab-1/blowhole/consul/anonymous_token" }}{{ or .Data.data.secret "" }}{{ end }}" } } } ''; destination = "/run/secrets/consul.json"; command = pkgs.writeShellScript "consul-command" '' sudo systemctl try-reload-or-restart hashicorp-consul.service ''; }; }; systemd.services.hashicorp-consul.unitConfig = { ConditionPathExists = "/run/secrets/consul.json"; }; services.hashicorp.consul = { enable = true; extraSettingsPaths = [ "/run/secrets/consul.json" ]; package = inputs.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.consul; settings = { datacenter = "homelab-1"; data_dir = "/var/lib/consul"; log_level = "INFO"; server = true; bind_addr = secret.network.ips.blowhole.ip; client_addr = secret.network.ips.blowhole.ip; primary_datacenter = "homelab-1"; acl = { enabled = true; default_policy = "deny"; enable_token_persistence = true; }; ports = { http = 8500; grpc = 8502; }; connect = { enabled = true; }; ca_file = "/var/secrets/consul-ca.crt"; # cert_file = "" # key_file = "" verify_incoming = false; verify_outgoing = false; verify_server_hostname = false; ui_config.enabled = true; domain = "consul.in.redalder.org"; }; }; systemd.services.hashicorp-consul.serviceConfig = { LimitNOFILE = mkForce "infinity"; LimitNPROC = mkForce "infinity"; }; }