dotfiles/nixos/systems/blowhole/consul.nix
Magic_RB 3f7585af77
Use specific nixpkgs pin for Hashicorp stuff
Signed-off-by: Magic_RB <magic_rb@redalder.org>
2023-04-03 01:26:58 +02:00

84 lines
2.1 KiB
Nix

{inputs, lib, config, pkgs, secret, ...}:
with lib;
let
in
{
services.hashicorp.vault-agent = {
settings.template = singleton {
source = pkgs.writeText "consul.json.vtmpl"
''
{
"encrypt": "{{ with secret "kv/data/homelab-1/blowhole/consul/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}",
"acl": {
"tokens": {
"agent": "{{ with secret "kv/data/homelab-1/blowhole/consul/agent_token" }}{{ or .Data.data.secret "" }}{{ end }}",
"default": "{{ with secret "kv/data/homelab-1/blowhole/consul/anonymous_token" }}{{ or .Data.data.secret "" }}{{ end }}"
}
}
}
'';
destination = "/run/secrets/consul.json";
command = pkgs.writeShellScript "consul-command"
''
sudo systemctl try-reload-or-restart hashicorp-consul.service
'';
};
};
systemd.services.hashicorp-consul.unitConfig = {
ConditionPathExists = "/run/secrets/consul.json";
};
services.hashicorp.consul = {
enable = true;
extraSettingsPaths =
[ "/run/secrets/consul.json"
];
package = inputs.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.consul;
settings = {
datacenter = "homelab-1";
data_dir = "/var/lib/consul";
log_level = "DEBUG";
server = true;
bind_addr = secret.network.ips.blowhole.ip;
client_addr = secret.network.ips.blowhole.ip;
primary_datacenter = "homelab-1";
acl = {
enabled = true;
default_policy = "deny";
enable_token_persistence = true;
};
ports = {
http = 8500;
grpc = 8502;
};
connect = {
enabled = true;
};
ca_file = "/var/secrets/consul-ca.crt";
# cert_file = ""
# key_file = ""
verify_incoming = false;
verify_outgoing = false;
verify_server_hostname = false;
ui_config.enabled = true;
domain = "consul.in.redalder.org";
};
};
systemd.services.hashicorp-consul.serviceConfig = {
LimitNOFILE = mkForce "infinity";
LimitNPROC = mkForce "infinity";
};
}