mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-26 18:16:13 +01:00
0b9583b4d3
Signed-off-by: magic_rb <magic_rb@redalder.org>
64 lines
1.2 KiB
Nix
64 lines
1.2 KiB
Nix
{
|
|
inputs',
|
|
lib,
|
|
config,
|
|
pkgs,
|
|
secret,
|
|
...
|
|
}: let
|
|
inherit
|
|
(lib)
|
|
mkForce
|
|
singleton
|
|
;
|
|
in {
|
|
services.hashicorp.consul = {
|
|
enable = true;
|
|
package = pkgs.consul;
|
|
|
|
extraSettingsPaths = singleton "/run/secrets/consul.json";
|
|
|
|
settings = {
|
|
datacenter = "do-1";
|
|
data_dir = "/var/lib/consul";
|
|
|
|
retry_join_wan = singleton (secret.network.ips.blowhole.ip or "");
|
|
|
|
server = true;
|
|
|
|
bind_addr = secret.network.ips.toothpick or "";
|
|
client_addr = secret.network.ips.toothpick or "";
|
|
|
|
primary_datacenter = "homelab-1";
|
|
|
|
acl = {
|
|
enabled = true;
|
|
default_policy = "deny";
|
|
enable_token_persistence = true;
|
|
enable_token_replication = true;
|
|
};
|
|
|
|
ports = {
|
|
http = 8500;
|
|
grpc = 8502;
|
|
};
|
|
|
|
ui_config.enabled = true;
|
|
|
|
connect.enabled = true;
|
|
|
|
# ca_file = "/var/secrets/consul-ca.crt";
|
|
# cert_file = ""
|
|
# key_file = ""
|
|
verify_incoming = false;
|
|
verify_outgoing = false;
|
|
verify_server_hostname = false;
|
|
};
|
|
};
|
|
|
|
systemd.services.hashicorp-consul.serviceConfig = {
|
|
LimitNOFILE = mkForce "infinity";
|
|
LimitNPROC = mkForce "infinity";
|
|
};
|
|
}
|