magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-25 17:46:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
dotfiles/nixos/systems/blowhole/consul.nix
Magic_RB 004cfb039b
Harden blowhole agains sealed Vault 
Signed-off-by: Magic_RB <magic_rb@redalder.org>
2023-06-28 14:23:08 +02:00

82 lines
2.1 KiB
Nix
Raw Blame History

{inputs', lib, config, pkgs, secret, ...}:
let
inherit (lib)
singleton
mkForce;
in
{
services.hashicorp.vault-agent = {
settings.template = singleton {
source = pkgs.writeText "consul.json.vtmpl"
''
{
"encrypt": "{{ with secret "kv/data/homelab-1/blowhole/consul/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}",
"acl": {
"tokens": {
"agent": "{{ with secret "kv/data/homelab-1/blowhole/consul/agent_token" }}{{ or .Data.data.secret "" }}{{ end }}",
"default": "{{ with secret "kv/data/homelab-1/blowhole/consul/anonymous_token" }}{{ or .Data.data.secret "" }}{{ end }}"
}
}
}
'';
destination = "/run/secrets/consul.json";
command = pkgs.writeShellScript "consul-command" ''
sudo systemctl try-reload-or-restart hashicorp-consul.service
'';
};
};
systemd.services."hashicorp-consul" = {
requires = [ "vault-unsealed.service" ];
after = [ "vault-unsealed.service" ];
};
services.hashicorp.consul = {
enable = true;
extraSettingsPaths = singleton "/run/secrets/consul.json";
package = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.consul;
settings = {
datacenter = "homelab-1";
data_dir = "/var/lib/consul";
log_level = "INFO";
server = true;
bind_addr = secret.network.ips.blowhole.ip or "";
client_addr = secret.network.ips.blowhole.ip or "";
primary_datacenter = "homelab-1";
acl = {
enabled = true;
default_policy = "deny";
enable_token_persistence = true;
};
ports = {
http = 8500;
grpc = 8502;
};
connect.enabled = true;
ca_file = "/var/secrets/consul-ca.crt";
# cert_file = ""
# key_file = ""
verify_incoming = false;
verify_outgoing = false;
verify_server_hostname = false;
ui_config.enabled = true;
domain = "consul.in.redalder.org";
};
};
systemd.services.hashicorp-consul.serviceConfig = {
LimitNOFILE = mkForce "infinity";
LimitNPROC = mkForce "infinity";
};
}
Reference in a new issue View git blame Copy permalink