dotfiles/nixos/systems/blowhole/nomad.nix
Magic_RB bbe1a2a6ad
Move secrets templates out of vault-agent module
Signed-off-by: Magic_RB <magic_rb@redalder.org>
2023-03-06 00:30:29 +01:00

167 lines
4 KiB
Nix

{lib, config, pkgs, secret, ...}:
with lib;
let
in
{
services.hashicorp.vault-agent = {
settings.template = singleton {
source = pkgs.writeText "nomad.json.vtmpl"
''
{
"server": {
"encrypt": "{{ with secret "kv/data/homelab-1/blowhole/nomad/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}"
},
"vault": {
"token": "{{ with secret "kv/data/homelab-1/blowhole/nomad/vault_token" }}{{ or .Data.data.secret "" }}{{ end }}"
},
"consul": {
"token": "{{ with secret "kv/data/homelab-1/blowhole/nomad/consul_token" }}{{ or .Data.data.secret "" }}{{ end }}"
}
}
'';
destination = "/run/secrets/nomad.json";
command = pkgs.writeShellScript "nomad-command"
''
sudo systemctl try-reload-or-restart hashicorp-nomad.service
'';
};
};
systemd.services.hashicorp-nomad.unitConfig = {
ConditionPathExists = "/run/secrets/nomad.json";
};
services.hashicorp.nomad = {
enable = true;
extraPackages = with pkgs; [coreutils iproute2 iptables consul glibc config.nix.package git];
extraSettingsPaths = [
"/run/secrets/nomad.json"
];
package = pkgs.nomad_1_3.overrideAttrs (old:
{
patches = [
../0001-Revert-Change-consul-SI-tokens-to-be-local.patch
../0001-Add-Nix-integration.patch
];
});
settings = {
bind_addr = secret.network.ips.blowhole.ip;
server = {
enabled = true;
};
tls = {
# http = false # true
# rpc = true
# ca_file = "nomad-ca.pem"
# cert_file = "client.pem"
# key_file = "client-key.pem"
# verify_server_hostname = true
# verify_https_client = true
};
vault = {
enabled = true;
address = "https://${secret.network.ips.vault.dns}:8200";
allow_unauthenticated = true;
create_from_role = "nomad-cluster";
};
consul = {
address = "${secret.network.ips.blowhole.ip}:8500";
auto_advertise = true;
server_auto_join = true;
client_auto_join = true;
};
acl = {
enabled = true;
};
client = {
cni_path = "${pkgs.cni-plugins}/bin";
min_dynamic_port = 20000;
max_dynamic_port = 32000;
options = {
"docker.privileged.enabled" = "true";
};
host_network."default" = {
cidr = secret.network.networks.home.mine;
};
host_network."mesh" = {
cidr = secret.network.networks.home.mine;
};
network_interface = "enp4s0";
# host_volume."renderD128" = {
# path = "/dev/dri/renderD128";
# };
# host_volume."card0" = {
# path = "/dev/dri/card0";
# };
host_volume."jellyfin-mount" = {
path = "/mnt/jellyfin-mount";
};
host_volume."cctv" = {
path = "/mnt/cctv";
read_only = false;
};
# host_volume."sonoff" = {
# path = "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_4c004e9c53c9eb118a9f8b4f1d69213e-if00-port0";
# };
enabled = true;
};
plugin."docker" = {
config = {
allow_caps = [
"CHOWN"
"DAC_OVERRIDE"
"FSETID"
"FOWNER"
"MKNOD"
"NET_RAW"
"SETGID"
"SETUID"
"SETFCAP"
"SETPCAP"
"NET_BIND_SERVICE"
"SYS_CHROOT"
"KILL"
"AUDIT_WRITE"
"SYS_ADMIN"
];
allow_privileged = true;
};
};
disable_update_check = true;
data_dir = "/var/lib/nomad";
datacenter = "homelab-1";
region = "homelab-1";
};
};
virtualisation.docker.enable = true;
virtualisation.docker.daemon.settings = {
dns = [
"10.64.2.1"
];
};
}