mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-22 08:04:20 +01:00
204 lines
4.9 KiB
Nix
204 lines
4.9 KiB
Nix
{ config, elib, tflib, lib, pkgs, ... }:
|
|
let
|
|
paths.toothpick.consul = {
|
|
encryption_key = "do-1/toothpick/consul/encryption_key";
|
|
agent_token = "do-1/toothpick/consul/agent_token";
|
|
anonymous_token = "do-1/toothpick/consul/anonymous_token";
|
|
replication_token = "do-1/toothpick/consul/replication_token";
|
|
};
|
|
|
|
paths.toothpick.nomad = {
|
|
encryption_key = "do-1/toothpick/nomad/encryption_key";
|
|
vault_token = "do-1/toothpick/nomad/vault_token";
|
|
consul_token = "do-1/toothpick/nomad/consul_token";
|
|
replication_token = "do-1/toothpick/nomad/replication_token";
|
|
};
|
|
|
|
inherit (tflib)
|
|
tf
|
|
;
|
|
inherit (lib)
|
|
singleton
|
|
;
|
|
in
|
|
{
|
|
provider."vault" = {
|
|
address = "https://vault.in.redalder.org:8200";
|
|
};
|
|
|
|
provider."consul" = {
|
|
address = "http://consul.in.redalder.org:8500";
|
|
};
|
|
|
|
provider."nomad" = {
|
|
address = "http://nomad.in.redalder.org:4646";
|
|
};
|
|
|
|
provider."influxdb-v2" = {
|
|
url = "http://influx.in.redalder.org";
|
|
};
|
|
|
|
module."syncthing" = elib.terraformModule {
|
|
name = "syncthing";
|
|
source = ./containers/syncthing;
|
|
};
|
|
|
|
module."website" = elib.terraformModule {
|
|
name = "website";
|
|
source = ./containers/website;
|
|
};
|
|
|
|
module."hydra" = elib.terraformModule {
|
|
name = "hydra";
|
|
source = ./containers/hydra;
|
|
};
|
|
|
|
module."matrix" = elib.terraformModule {
|
|
name = "matrix";
|
|
source = ./containers/matrix;
|
|
};
|
|
|
|
module."jellyfin" = elib.terraformModule {
|
|
name = "jellyfin";
|
|
source = ./containers/jellyfin;
|
|
};
|
|
|
|
module."gitea" = elib.terraformModule {
|
|
name = "gitea";
|
|
source = ./containers/gitea;
|
|
};
|
|
|
|
module."home-assistant" = elib.terraformModule {
|
|
name = "home-assistant";
|
|
source = ./containers/home-assistant;
|
|
};
|
|
|
|
module."ingress-blowhole" = elib.terraformModule {
|
|
name = "ingress-blowhole";
|
|
source = ./containers/ingress-blowhole;
|
|
};
|
|
|
|
module."ingress-toothpick" = elib.terraformModule {
|
|
name = "ingress-toothpick";
|
|
source = ./containers/ingress-toothpick;
|
|
};
|
|
|
|
module."gateway-mesh" = elib.terraformModule {
|
|
name = "gateway-mesh";
|
|
source = ./containers/gateway-mesh;
|
|
};
|
|
|
|
module."nfs-csi" = elib.terraformModule {
|
|
name = "nfs-csi";
|
|
source = ./containers/nfs-csi;
|
|
};
|
|
|
|
imports = [
|
|
./lib
|
|
./modules/push_approles.nix
|
|
./modules/consul_agent.nix
|
|
./modules/nomad_server.nix
|
|
./pki.nix
|
|
./blowhole.nix
|
|
./toothpick.nix
|
|
];
|
|
|
|
terraform.backend."consul" = {
|
|
address = "consul.in.redalder.org:8500";
|
|
scheme = "http";
|
|
path = "terraform/dotfiles";
|
|
};
|
|
|
|
terraform.required_providers = {
|
|
influxdb-v2 = {
|
|
source = "MagicRB/influxdb-v2";
|
|
};
|
|
};
|
|
|
|
resource."vault_auth_backend"."approle" = {
|
|
type = "approle";
|
|
|
|
tune = singleton {
|
|
max_lease_ttl = "90000s";
|
|
listing_visibility = "unauth";
|
|
allowed_response_headers = null;
|
|
audit_non_hmac_request_keys = null;
|
|
audit_non_hmac_response_keys = null;
|
|
default_lease_ttl = null;
|
|
passthrough_request_headers = null;
|
|
token_type = null;
|
|
};
|
|
};
|
|
|
|
resource."vault_mount"."kv" = {
|
|
path = "kv";
|
|
type = "kv";
|
|
options.version = "2";
|
|
description = "KV Version 2 secret engine mount";
|
|
};
|
|
|
|
resource."vault_kv_secret_backend_v2"."config" = {
|
|
mount = config.resource."vault_mount"."kv".path;
|
|
max_versions = 5;
|
|
};
|
|
|
|
resource."consul_acl_token"."vault_management_token" = {
|
|
description = "Vault management token";
|
|
policies = ["global-management"];
|
|
local = false;
|
|
};
|
|
|
|
data."consul_acl_token_secret_id"."vault_management_token" = {
|
|
accessor_id = tf "consul_acl_token.vault_management_token.id";
|
|
};
|
|
|
|
resource."vault_consul_secret_backend"."consul" = {
|
|
path = "consul";
|
|
description = "Manages the Consul backend";
|
|
|
|
address = "consul.in.redalder.org:8500";
|
|
token = tf "data.consul_acl_token_secret_id.vault_management_token.secret_id";
|
|
};
|
|
|
|
resource."vault_token_auth_backend_role"."nomad_cluster" = {
|
|
role_name = "nomad-cluster";
|
|
disallowed_policies = ["nomad-server"];
|
|
orphan = true;
|
|
token_period = "259200";
|
|
renewable = true;
|
|
token_explicit_max_ttl = "0";
|
|
};
|
|
|
|
resource."random_id"."nomad_encryption_key" = {
|
|
byte_length = 32;
|
|
};
|
|
|
|
resource."random_id"."homelab-1_consul_encryption_key" = {
|
|
byte_length = 32;
|
|
};
|
|
|
|
resource."random_id"."do-1_consul_encryption_key" = {
|
|
byte_length = 32;
|
|
};
|
|
|
|
resource."consul_acl_policy"."anonymous" = {
|
|
name = "consul-anonymous";
|
|
rules = ''
|
|
service_prefix "" { policy = "read" }
|
|
node_prefix "" { policy = "read" }
|
|
'';
|
|
};
|
|
|
|
resource."consul_acl_token"."anonymous" = {
|
|
description = "Consul anonymous token";
|
|
policies = [
|
|
config.resource.consul_acl_policy.anonymous.name
|
|
];
|
|
local = false;
|
|
};
|
|
|
|
data."consul_acl_token_secret_id"."anonymous" = {
|
|
accessor_id = tf "consul_acl_token.anonymous.id";
|
|
};
|
|
}
|