From 87a4d79c71a997b8bedd024a68af25973739d549 Mon Sep 17 00:00:00 2001 From: marc Date: Fri, 16 Feb 2024 18:21:24 +0100 Subject: [PATCH] Thingvellir as nomad server --- data/nomad/caddy.nomad | 100 ++++++++++ data/nomad/dns.nomad | 112 +++++++++++ data/nomad/gitea.nomad | 71 +++++++ data/nomad/lwt.nomad | 106 ++++++++++ data/nomad/minecraft.nomad | 71 +++++++ data/nomad/moimoin.nomad | 133 +++++++++++++ data/nomad/nextcloud.nomad | 188 ++++++++++++++++++ data/nomad/old/collabora.nomad | 67 +++++++ data/nomad/old/pihole.nomad | 73 +++++++ data/nomad/old/unbound.nomad | 47 +++++ data/nomad/organice.nomad | 52 +++++ data/nomad/pasta.nomad | 70 +++++++ data/nomad/presencia.nomad | 41 ++++ data/nomad/registry.nomad | 52 +++++ data/nomad/webhooks.nomad | 52 +++++ modules/server/nomad.nix | 6 +- .../consul.d/agent-token-reykjavik.json.age | Bin 364 -> 364 bytes .../consul.d/agent-token-thingvellir.json.age | Bin 474 -> 474 bytes secrets/consul.d/consul-agent-ca-key.pem.age | 10 +- secrets/consul.d/consul-agent-ca.pem.age | Bin 1510 -> 1510 bytes secrets/consul.d/gossip.json.age | Bin 498 -> 498 bytes .../samfelag-server-thingvellir-key.pem.age | Bin 548 -> 548 bytes .../samfelag-server-thingvellir.pem.age | Bin 1302 -> 1302 bytes secrets/nomad.d/consul-token-client.json.age | Bin 0 -> 505 bytes secrets/nomad.d/consul-token-server.json.age | 8 + secrets/nomad.d/consul-token.json.age | 9 - secrets/secrets.nix | 3 +- 27 files changed, 1253 insertions(+), 18 deletions(-) create mode 100644 data/nomad/caddy.nomad create mode 100644 data/nomad/dns.nomad create mode 100644 data/nomad/gitea.nomad create mode 100644 data/nomad/lwt.nomad create mode 100644 data/nomad/minecraft.nomad create mode 100644 data/nomad/moimoin.nomad create mode 100644 data/nomad/nextcloud.nomad create mode 100644 data/nomad/old/collabora.nomad create mode 100644 data/nomad/old/pihole.nomad create mode 100644 data/nomad/old/unbound.nomad create mode 100644 data/nomad/organice.nomad create mode 100644 data/nomad/pasta.nomad create mode 100644 data/nomad/presencia.nomad create mode 100644 data/nomad/registry.nomad create mode 100644 data/nomad/webhooks.nomad create mode 100644 secrets/nomad.d/consul-token-client.json.age create mode 100644 secrets/nomad.d/consul-token-server.json.age delete mode 100644 secrets/nomad.d/consul-token.json.age diff --git a/data/nomad/caddy.nomad b/data/nomad/caddy.nomad new file mode 100644 index 0000000..7235cd3 --- /dev/null +++ b/data/nomad/caddy.nomad @@ -0,0 +1,100 @@ +job "caddy" { + region = "global" + datacenters = ["samfelag"] + type = "service" + + group "caddy" { + count = 1 + + volume "caddyfile" { + type = "host" + read_only = false + source = "caddyfile" + } + + volume "caddy-data" { + type = "host" + read_only = false + source = "caddy-data" + } + + restart { + attempts = 2 + interval = "2m" + delay = "1m" + mode = "fail" + } + + network { + port "http" { + static = 80 + to = 80 + host_network = "public" + } + + port "https" { + static = 443 + to = 443 + host_network = "public" + } + + port "config" { + static = 2019 + to = 2019 + } + + dns { + servers = ["100.80.195.56"] + } + } + + ### + # CADDY + ### + + task "caddy" { + driver = "docker" + + volume_mount { + volume = "caddyfile" + destination = "/etc/caddy/Caddyfile" + read_only = false + } + + volume_mount { + volume = "caddy-data" + destination = "/data" + read_only = false + } + + env { + } + + config { + image = "caddy:2.3.0-alpine" + ports = ["http", "https", "config"] + volumes = [ + "/mnt/vatnajokull/lajuntament-web:/sites/lajuntament-web", + "/mnt/vatnajokull/folkugat-web:/sites/folkugat-web", + ] + } + + resources { + cpu = 500 + memory = 128 + } + + service { + name = "caddy" + + check { + type = "tcp" + port = "http" + interval = "30s" + timeout = "2s" + } + } + } + } +} + diff --git a/data/nomad/dns.nomad b/data/nomad/dns.nomad new file mode 100644 index 0000000..4596ac6 --- /dev/null +++ b/data/nomad/dns.nomad @@ -0,0 +1,112 @@ +job "dns" { + region = "global" + datacenters = ["samfelag"] + type = "service" + + group "dns" { + count = 1 + + restart { + attempts = 10 + delay = "15s" + } + + # VOLUMES + ## pihole + + volume "pihole" { + type = "host" + read_only = false + source = "dns-pihole" + } + + volume "dnsmasq" { + type = "host" + read_only = false + source = "dns-dnsmasq" + } + + ## unbound + + volume "unbound" { + type = "host" + read_only = false + source = "dns-unbound" + } + + # NETWORK + + network { + port "dns" { + static = 53 + } + port "http" { + to = 80 + } + port "unbound" { + static = 5533 + } + } + + # TASKS + + task "pihole" { + driver = "docker" + + volume_mount { + volume = "pihole" + destination = "/etc/pihole" + read_only = false + } + + volume_mount { + volume = "dnsmasq" + destination = "/etc/dnsmasq.d" + read_only = false + } + + env { + TZ = "Europe/Amsterdam" + WEBPASSWORD = "elbonfeix" + ServerIP = "100.80.195.56" + } + + config { + image = "pihole/pihole:v5.7" + ports = ["dns", "http"] + } + + resources { + cpu = 100 + memory = 32 + } + + service { + name = "pihole-gui" + port = "http" + } + } + + task "unbound" { + driver = "docker" + + volume_mount { + volume = "unbound" + destination = "/opt/unbound/etc/unbound/" + read_only = false + } + + config { + image = "mvance/unbound:latest" + ports = ["unbound"] + } + + resources { + cpu = 50 + memory = 32 + } + } + + } +} + diff --git a/data/nomad/gitea.nomad b/data/nomad/gitea.nomad new file mode 100644 index 0000000..7577644 --- /dev/null +++ b/data/nomad/gitea.nomad @@ -0,0 +1,71 @@ +job "gitea" { + region = "global" + datacenters = ["samfelag"] + type = "service" + + group "gitea" { + count = 1 + + restart { + attempts = 5 + delay = "1m" + } + + network { + port "http" { + to = 3000 + } + port "ssh" { + static = 2222 + to = 22 + host_network = "public" + } + } + + task "gitea" { + driver = "docker" + + env { + USER_UID = "1001" + USER_GID = "1001" + } + + config { + image = "gitea/gitea:latest" + ports = ["http", "ssh"] + volumes = ["/mnt/vatnajokull/nomad_volumes/gitea/data:/data"] + } + + resources { + cpu = 1000 + memory = 256 + } + + service { + name = "gitea" + port = "http" + + check { + type = "tcp" + port = "http" + interval = "30s" + timeout = "2s" + } + } + + service { + name = "gitea-ssh" + port = "ssh" + + check { + type = "tcp" + port = "ssh" + interval = "30s" + timeout = "2s" + } + } + + } + } +} + diff --git a/data/nomad/lwt.nomad b/data/nomad/lwt.nomad new file mode 100644 index 0000000..f96d63e --- /dev/null +++ b/data/nomad/lwt.nomad @@ -0,0 +1,106 @@ +job "lwt" { + region = "global" + datacenters = ["samfelag"] + type = "service" + + group "lwt" { + count = 1 + + restart { + attempts = 10 + delay = "30s" + } + + # VOLUMES + + volume "lwt-mariadb" { + type = "host" + read_only = false + source = "lwt-mariadb" + } + + volume "lwt" { + type = "host" + read_only = false + source = "lwt" + } + + # NETWORK + + network { + port "lwt" { + to = 80 + } + port "mariadb" { + static = 33306 + to = 3306 + } + } + + # TASKS + + task "mariadb" { + driver = "docker" + + user = 1001 + + volume_mount { + volume = "lwt-mariadb" + destination = "/var/lib/mysql" + read_only = false + } + + env { + MYSQL_ALLOW_EMPTY_PASSWORD = "no" + MYSQL_ROOT_PASSWORD = "root" + } + + config { + image = "mariadb:10.7" + ports = ["mariadb"] + } + + resources { + cpu = 100 + memory = 128 + } + } + + task "lwt" { + driver = "docker" + + config { + image = "ghcr.io/hugofara/lwt:master" + ports = ["lwt"] + } + + volume_mount { + volume = "lwt" + destination = "/var/www/html/media" + read_only = false + } + + env { + DB_HOST = "${attr.unique.network.ip-address}:33306" # "100.91.225.117" + } + + resources { + cpu = 100 + memory = 128 + } + + service { + name = "lwt" + port = "lwt" + + check { + type = "tcp" + port = "lwt" + interval = "30s" + timeout = "10s" + } + } + } + + } +} diff --git a/data/nomad/minecraft.nomad b/data/nomad/minecraft.nomad new file mode 100644 index 0000000..2b0caae --- /dev/null +++ b/data/nomad/minecraft.nomad @@ -0,0 +1,71 @@ +job "minecraft" { + region = "global" + datacenters = ["samfelag"] + type = "service" + + group "minecraft" { + count = 1 + + volume "minecraft" { + type = "host" + read_only = false + source = "minecraft" + } + + restart { + attempts = 2 + interval = "2m" + delay = "1m" + mode = "fail" + } + + network { + port "server" { + static = 25565 + to = 25565 + host_network = "minecraft" + } + } + + ### + # MINECRAFT SERVER + ### + + task "minecraft" { + driver = "docker" + + volume_mount { + volume = "minecraft" + destination = "/data" + read_only = false + } + + env { + EULA = "TRUE" + TZ = "Europe/Madrid" + } + + config { + image = "itzg/minecraft-server" + ports = ["server"] + } + + resources { + cpu = 2800 + memory = 1900 + } + + service { + name = "minecraft" + + check { + type = "tcp" + port = "server" + interval = "30s" + timeout = "2s" + } + } + } + } +} + diff --git a/data/nomad/moimoin.nomad b/data/nomad/moimoin.nomad new file mode 100644 index 0000000..12f7241 --- /dev/null +++ b/data/nomad/moimoin.nomad @@ -0,0 +1,133 @@ +job "moimoin" { + region = "global" + datacenters = ["samfelag"] + type = "service" + + group "moimoin" { + count = 1 + + restart { + attempts = 10 + delay = "30s" + } + + # VOLUMES + + volume "mysql" { + type = "host" + read_only = false + source = "moimoin" + } + + # NETWORK + + network { + port "moimoin-front" { + to = 5000 + } + port "moimoin-back" { + to = 3000 + } + port "mysql" { + static = 33306 + to = 3306 + } + } + + # TASKS + + task "mysql" { + driver = "docker" + + user = 1001 + + volume_mount { + volume = "mysql" + destination = "/var/lib/mysql" + read_only = false + } + + env { + MYSQL_DATABASE = "xat-osr" + MYSQL_ROOT_PASSWORD = "estrell4galicia" + } + + config { + image = "arm64v8/mysql:latest" + ports = ["mysql"] + } + + resources { + cpu = 500 + memory = 512 + } + } + + task "moimoin-back" { + driver = "docker" + + config { + image = "marc.sastre.cat/moimoin-back:latest" + ports = ["moimoin-back"] + } + + env { + MYSQL_HOST = "${attr.unique.network.ip-address}" # "100.91.225.117" + MYSQL_PORT = "33306" + MYSQL_USER = "root" + MYSQL_PASSWORD = "estrell4galicia" + MYSQL_NAME = "xat-osr" + CHAT_ADMIN_PSWD = "cervesaEspecial" + CLIENT_HOST = "marc.sastre.cat/moimoin" + } + + resources { + cpu = 100 + memory = 128 + } + + service { + name = "moimoin-back" + port = "moimoin-back" + + check { + type = "tcp" + port = "moimoin-back" + interval = "30s" + timeout = "10s" + } + } + } + + task "moimoin-front" { + driver = "docker" + + config { + image = "marc.sastre.cat/moimoin-front:latest" + ports = ["moimoin-front"] + } + + env { + CLIENT_PORT = "5000" + } + + resources { + cpu = 100 + memory = 128 + } + + service { + name = "moimoin-front" + port = "moimoin-front" + + check { + type = "tcp" + port = "moimoin-front" + interval = "30s" + timeout = "10s" + } + } + } + + } +} diff --git a/data/nomad/nextcloud.nomad b/data/nomad/nextcloud.nomad new file mode 100644 index 0000000..78f76ff --- /dev/null +++ b/data/nomad/nextcloud.nomad @@ -0,0 +1,188 @@ +job "nextcloud" { + region = "global" + datacenters = ["samfelag"] + type = "service" + + group "nextcloud" { + count = 1 + + restart { + attempts = 5 + delay = "1m" + } + + # Network + + network { + port "nextcloud" { + static = 8080 + to = 80 + } + port "mariadb" { + static = 3306 + to = 3306 + } + # port "collabora" { + # to = 9980 + # } + } + + # Volumes + + volume "nextcloud" { + type = "host" + read_only = false + source = "nextcloud" + } + + volume "mariadb" { + type = "host" + read_only = false + source = "mariadb" + } + + # volume "collabora" { + # type = "host" + # read_only = false + # source = "collabora" + # } + + ### + # NEXTCLOUD + ### + + task "nextcloud" { + driver = "docker" + + user = 1001 + + env { + MYSQL_PASSWORD = "hxKOD13MUh" + MYSQL_DATABASE = "nextcloud" + MYSQL_USER = "nextcloud" + MYSQL_HOST = "${NOMAD_ADDR_mariadb}" + NEXTCLOUD_TRUSTED_DOMAINS = "nextcloud.samfelag.xyz" + OVERWRITEPROTOCOL = "https" + } + + volume_mount { + volume = "nextcloud" + destination = "/var/www/html" + read_only = false + } + + config { + image = "nextcloud:latest" + ports = ["nextcloud"] + } + + resources { + cpu = 2000 + memory = 512 + } + + service { + name = "nextcloud" + port = "nextcloud" + + check { + type = "tcp" + port = "nextcloud" + interval = "30s" + timeout = "2s" + } + } + } + + ### + # MARIADB + ### + + task "mariadb" { + driver = "docker" + + user = 1001 + + env { + MYSQL_ROOT_PASSWORD = "hxKOD13MUh" + MYSQL_ROOT_HOST = "${NOMAD_IP_mariadb}" + MYSQL_PASSWORD = "hxKOD13MUh" + MYSQL_DATABASE = "nextcloud" + MYSQL_USER = "nextcloud" + } + + volume_mount { + volume = "mariadb" + destination = "/var/lib/mysql" + read_only = false + } + + config { + image = "mariadb:10.5" + ports = ["mariadb"] + } + + resources { + cpu = 1000 + memory = 256 + } + + service { + name = "mariadb" + tags = ["mariadb"] + + port = "mariadb" + + check { + type = "tcp" + port = "mariadb" + interval = "30s" + timeout = "2s" + } + } + } + + ### + # COLLABORA + ### + + # task "collabora" { + # driver = "docker" + + # env { + # aliasgroup1 = "https://nextcloud.lajuntament.space:443" + # username = "lajuntament" + # password = "eLn1lIm4rc" + # } + + # volume_mount { + # volume = "collabora" + # destination = "/etc/loolwsd" + # read_only = false + # } + + # config { + # image = "collabora/code:latest" + # ports = ["collabora"] + # } + + # resources { + # cpu = 2000 + # memory = 1024 + # } + + # service { + # name = "collabora" + # port = "collabora" + + # check { + # type = "tcp" + # port = "collabora" + # interval = "30s" + # timeout = "2s" + # } + # } + + # } + } +} diff --git a/data/nomad/old/collabora.nomad b/data/nomad/old/collabora.nomad new file mode 100644 index 0000000..a8c0132 --- /dev/null +++ b/data/nomad/old/collabora.nomad @@ -0,0 +1,67 @@ +job "collabora" { + region = "global" + datacenters = ["samfelag"] + type = "service" + + group "collabora" { + count = 1 + + restart { + attempts = 5 + delay = "1m" + } + + network { + port "http" { + to = 9980 + } + } + + volume "collabora" { + type = "host" + read_only = false + source = "collabora" + } + + task "collabora" { + driver = "docker" + + env { + domain = "nextcloud\\.lajuntament\\.space" + username = "lajuntament" + password = "eLn1lIm4rc" + extra_params = "--o:ssl.enable=false" + } + + volume_mount { + volume = "collabora" + destination = "/etc/loolwsd" + read_only = false + } + + config { + image = "collabora/code:latest" + ports = ["http"] + } + + resources { + cpu = 1500 + memory = 1024 + } + + service { + name = "collabora" + port = "http" + + check { + type = "tcp" + port = "http" + interval = "30s" + timeout = "2s" + } + } + + } + } +} + diff --git a/data/nomad/old/pihole.nomad b/data/nomad/old/pihole.nomad new file mode 100644 index 0000000..bc6e8c5 --- /dev/null +++ b/data/nomad/old/pihole.nomad @@ -0,0 +1,73 @@ +job "pihole" { + region = "global" + datacenters = ["samfelag"] + type = "service" + + group "pihole" { + count = 1 + + volume "pihole" { + type = "host" + read_only = false + source = "dns-pihole" + } + + volume "dnsmasq" { + type = "host" + read_only = false + source = "dns-dnsmasq" + } + + restart { + attempts = 5 + delay = "15s" + } + + network { + port "dns" { + static = 53 + } + port "http" { + to = 80 + } + } + + task "pihole" { + driver = "docker" + + volume_mount { + volume = "pihole" + destination = "/etc/pihole" + read_only = false + } + + volume_mount { + volume = "dnsmasq" + destination = "/etc/dnsmasq.d" + read_only = false + } + + env { + TZ = "Europe/Amsterdam" + WEBPASSWORD = "elbonfeix" + ServerIP = "100.107.148.47" + } + + config { + image = "pihole/pihole:v5.7" + ports = ["dns", "http"] + } + + resources { + cpu = 100 + memory = 64 + } + + service { + name = "pihole-gui" + port = "http" + } + } + } +} + diff --git a/data/nomad/old/unbound.nomad b/data/nomad/old/unbound.nomad new file mode 100644 index 0000000..78031a5 --- /dev/null +++ b/data/nomad/old/unbound.nomad @@ -0,0 +1,47 @@ +job "unbound" { + region = "global" + datacenters = ["samfelag"] + type = "service" + + group "unbound" { + count = 1 + + volume "unbound" { + type = "host" + read_only = false + source = "dns-unbound" + } + + restart { + attempts = 5 + delay = "15s" + } + + network { + port "dns" { + static = 5533 + } + } + + task "unbound" { + driver = "docker" + + volume_mount { + volume = "unbound" + destination = "/opt/unbound/etc/unbound/" + read_only = false + } + + config { + image = "mvance/unbound:latest" + ports = ["dns"] + } + + resources { + cpu = 50 + memory = 64 + } + } + } +} + diff --git a/data/nomad/organice.nomad b/data/nomad/organice.nomad new file mode 100644 index 0000000..d7ca222 --- /dev/null +++ b/data/nomad/organice.nomad @@ -0,0 +1,52 @@ +job "organice" { + region = "global" + datacenters = ["samfelag"] + type = "service" + + group "organice" { + count = 1 + + restart { + attempts = 5 + delay = "1m" + } + + network { + port "http" { + to = 5000 + } + } + + task "organice" { + driver = "docker" + + env { + ORGANICE_WEBDAV_URL = "https://nextcloud.lajuntament.space/remote.php/dav/files/marc/" + } + + config { + image = "twohundredok/organice:latest" + ports = ["http"] + } + + resources { + cpu = 100 + memory = 128 + } + + service { + name = "organice" + port = "http" + + check { + type = "tcp" + port = "http" + interval = "30s" + timeout = "2s" + } + } + + } + } +} + diff --git a/data/nomad/pasta.nomad b/data/nomad/pasta.nomad new file mode 100644 index 0000000..ef1656c --- /dev/null +++ b/data/nomad/pasta.nomad @@ -0,0 +1,70 @@ +job "pasta" { + region = "global" + datacenters = ["samfelag"] + type = "service" + + group "pasta" { + count = 1 + + restart { + attempts = 5 + delay = "15s" + } + + network { + port "backend" { + to = 3000 + } + port "client" { + to = 80 + } + } + + # PASTA SERVER + task "pasta-server" { + driver = "docker" + + env { + PASTA_PORT = "3000" + PASTA_DIR = "/pasta" + } + + config { + image = "marc.sastre.cat/pasta-server" + ports = ["backend"] + volumes = ["/mnt/vatnajokull/nomad_volumes/pasta:/pasta"] + } + + resources { + cpu = 100 + memory = 256 + } + + service { + name = "pasta-server" + port = "backend" + } + } + + # PASTA CLIENT + task "pasta-client" { + driver = "docker" + + config { + image = "marc.sastre.cat/pasta-client" + ports = ["client"] + } + + resources { + cpu = 50 + memory = 32 + } + + service { + name = "pasta-client" + port = "client" + } + } + } +} + diff --git a/data/nomad/presencia.nomad b/data/nomad/presencia.nomad new file mode 100644 index 0000000..a2964b9 --- /dev/null +++ b/data/nomad/presencia.nomad @@ -0,0 +1,41 @@ +job "presencia" { + region = "global" + datacenters = ["samfelag"] + type = "service" + + group "presencia" { + count = 1 + + restart { + attempts = 5 + delay = "15s" + } + + network { + port "http" { + to = 5000 + } + } + + # PRESENCIA APP + task "presencia" { + driver = "docker" + + config { + image = "marc.sastre.cat/presencia" + ports = ["http"] + } + + resources { + cpu = 50 + memory = 64 + } + + service { + name = "presencia" + port = "http" + } + } + } +} + diff --git a/data/nomad/registry.nomad b/data/nomad/registry.nomad new file mode 100644 index 0000000..ad31058 --- /dev/null +++ b/data/nomad/registry.nomad @@ -0,0 +1,52 @@ +job "registry" { + region = "global" + datacenters = ["samfelag"] + type = "service" + + group "registry" { + count = 1 + + restart { + attempts = 5 + delay = "1m" + } + + network { + port "http" { + to = 5000 + } + } + + task "registry" { + driver = "docker" + + env { + REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY = "/data" + } + + config { + image = "registry:2" + ports = ["http"] + volumes = ["/mnt/vatnajokull/nomad_volumes/registry:/data"] + } + + resources { + cpu = 100 + memory = 256 + } + + service { + name = "registry" + port = "http" + + check { + type = "tcp" + port = "http" + interval = "30s" + timeout = "2s" + } + } + } + } +} + diff --git a/data/nomad/webhooks.nomad b/data/nomad/webhooks.nomad new file mode 100644 index 0000000..608511f --- /dev/null +++ b/data/nomad/webhooks.nomad @@ -0,0 +1,52 @@ +job "webhooks" { + region = "global" + datacenters = ["samfelag"] + type = "service" + + group "webhooks" { + count = 1 + + restart { + attempts = 5 + delay = "1m" + } + + network { + port "http" { + to = 6000 + } + } + + task "webhooks" { + driver = "docker" + + env { + CONFIG_FILE = "/app/data/config.json" + } + + config { + image = "marc.sastre.cat/webhooks:latest" + ports = ["http"] + volumes = ["/mnt/vatnajokull/nomad_volumes/webhooks:/app/data"] + } + + resources { + cpu = 100 + memory = 128 + } + + service { + name = "webhooks" + port = "http" + + check { + type = "tcp" + port = "http" + interval = "30s" + timeout = "2s" + } + } + } + } +} + diff --git a/modules/server/nomad.nix b/modules/server/nomad.nix index 7c2ae74..1aae9fe 100644 --- a/modules/server/nomad.nix +++ b/modules/server/nomad.nix @@ -47,11 +47,11 @@ in }; }; - # --- Secrets --------------------------------- - age.secrets = { "nomad.d/consul-token.json" = { - file = ../../secrets/nomad.d/consul-token.json.age; + file = if cfg.server + then ../../secrets/nomad.d/consul-token-server.json.age + else ../../secrets/nomad.d/consul-token-client.json.age; mode = "644"; }; }; diff --git a/secrets/consul.d/agent-token-reykjavik.json.age b/secrets/consul.d/agent-token-reykjavik.json.age index 67b184586ee8933ae7579907c547d0a2f5b340c6..c99c78b19fb7f91f9c40ab22df885463bf2adcb9 100644 GIT binary patch delta 329 zcmV-P0k;0^0_*~iEPpmHOG;}ibyiwMN;gn2WkpLuLs4x{Z%%nJbXPG$V{le-OiF1@ zGdXiYV+vGwdUaS&MrKTGPE%r4G)-n`SaMZ$FHvbQYHK(~ZE{j}W=COBXIVB*I0`K- zEg&y>Pis?2c6w4VD@j^bLPA9}PAgeRNoP<|FmyCTHAr@3aeq=uPHt2$SYrwW;&Oz( znNR;Z2bo1`J+i&)3mE7duh)hHFHC?XL>3HsUR;^8H4Z%yhgcmZ7%EuAGm+e+h3bY+ zLzU;wlF$e24ESSX9rvd%C#@cf=c!QLOY(|I3!}aet)Yg4my3TJA$#!AAp+Q&LBy@; zk3>*>bwS9X_CljUhe#%o{AlYl^}%C9UgZETVL0{?`1<5noTIEcT@e{ge)AV2X=zWx bKp^~@%{Kvp#Q*iI7tJsx_Mt;H=yVD4*+_;> delta 329 zcmV-P0k;0^0_*~iEPqTdHDy;?YEVU4HCb^qa7b%2XIep3T10a*X=O4+X=idnaCS2? zX<0QwV+vJ8cyKawOm|d9Sa41a#l=ZMt^#7K~GL}M^Os=1Jg0x zdOmvSn|x{h8mvb6$l1JCWPYRxuy31~z&!R4SXRaTWgR4G%@ngKgqBKbC`)EBVXVL! z*3t?trcDQR2k3k@P}>EnCfC39xrSqXPjB_`oBdl`@r~dkV4>k_|7=2B$!>cKivYk=4(AoJ+Js(RUu2!wg0>h(9D?~JMHd9JgP-JUrOfyh4W=ugha#JucMk`EfQfXyP zM`Ln9FbXhcW_oQ^dQ?V5P-$6hOh+&>Suj|4Wmr^pMruWLHf&*UIC)b=H#0?VZwf6w zAaiqQEoEdfH8n9gAZt!)X--ifFi2-HF-Av3O+<2ab1zLnIe%46Qb9OsbTeUZN?Br2 zO-eX+O*Bw)S#)_>3P?FxRZ?+ta%*jNX-Z9Sb7E;rL{)1zaw|?(Y(aB!Q7}(%Pc>CH zRWM{{3N0-yAZk%zH$_!sH)B{gL1lPYGe$#7VNYT-cvf0DFH}%BS6E?dV`o-NNHtJR z3PVqb3t$q?P=DBGhw5l$t3{chXnEGxkm`Ypg7x@^gGTvgdLd-I`3%8r#CLDcp_)a4 zVteo2F?f_-9F!_UhbF$Wn604z delta 440 zcmV;p0Z0DY1KITG*eYUb!0Vbcz;4QZ%%J_PginBPC`+0 zaCU4@a5y(wFKA9MOa8zG%$BDb9PQ{YdA}2Oj&X^O-g!5S4K*BOgL3RL`73D zY*lkO3N0-yAa6xbYjjdIQ)FguS21rdOG!a7M=(n^FiL51V{S$=FflS=FhN#zNpVeM z3b7>n9Ox5rmwzdiz?L=amv~wM>g)y}PNM z;dmn>_#P?+G<6@mu0Gn9gUHF<%x ssh-ed25519 GWuf0Q MD7uGzKIk90mRQJVI/HKk9MMbI3HwkwwKEoLc/R8qyQ -m2K5DUI+O+ufDWl1faCwR+9nA8vxAQW5pptwgEhzMJI ---- JkkPxFdtVCa3MQqLCpJ7GBajuyQAyHjwr6fbCV81qdA -6JJ7DYb@3z9WnC R4H-Қ {Fo -ZJ -JDa~DLy\rEGAbfj`!Sfi+w4fA1ye2`L>%'o"'hԵ;3ZHPa @ΊO0[VI|5cSȗ#3U2|,+Z2BaX*0qRglPz5D*#m \ No newline at end of file +-> ssh-ed25519 GWuf0Q UGRQaYwj+drn/22AfMDMKsoO0APyZA0Q7KychsCafUs +STKHeUzgmNHQBzoAxzA37QNTHWiFFu+CqwPw8pKfRd0 +--- VHt9chFlFpduvg0IMozIiFr3cfTBtxke2TeZBaZakEg +V 'SAL|5I֊T&uTiSKYA!Jws[@d٩"%Xo.J-OWajBQ{g VD>)wÎ[BF|o(m6bERs?럓!|b‡an߂6>;KNC')gK"C4 +)f#~riF@den89 uM紖T5tD<_zp: \ No newline at end of file diff --git a/secrets/consul.d/consul-agent-ca.pem.age b/secrets/consul.d/consul-agent-ca.pem.age index fffbeeff469676d8f2cc2a676c2ad32be8f43edd..e0a9c40b770a4cdf6e5c831859cad2c9a87e62f8 100644 GIT binary patch delta 1464 zcmV;p1xNbk3+4-uEPqr?a5GjlWaY zLo##>2Q8IHeQ8{^M3bCJ69m_AS(iNHE zvP`YcyxTZF@Ur%H5Qu`~q^+Lxt*JZZfJWK@+S+qAQbf%Yy4>5Jvj+}}Doz1ypV}Hr zKJDLgJzrz$CF;5N%XsUEOP)_UpIL`Vmn{>UFLX}UM;1cpQlO6J#bAV-ptab6bFj)l zU9n<+p`uYjGen}zd08l7%)SMX46PV@?+gOX1CNBGj(Pam4<7C6eHkbO5x1B{LR1)B z0?>5xZvtV7onE`7*dPE2v2CZNMNoEOr(f&~t@j-)DZw6VDZzM$+$Ti z3-_tvGbcD)Yv{d3C(7|S+v#HWsF$PR6qX=!lxw&6DeHib#<#Z7l4MTzJL9M}GQX~W zn2n$+z|{#YYcL(bwT%L%WT#@;y^3n_x>&XZ6aN0-uMlVw3p$*4A7d1qh$eE6>J!

YwE2Gg9(_mb%~s=$Y(U68fD;qrPQ=b2F;sC zvhuz3YI%tO7mr0s`z(>qI(;HiwMFfJ%UB0O3W}c%dYAN{5sT5G&oEnhWI5nr0IF*A zVFX*mb!;HBnr|S?&1$>;DjtxK9fHU=pZ6xUfS%M6RDe~LC+ezL|G;y?!lLW(OPL{L zdz4`-v!uYEy&Rkf0i|)-Q8EMVkF@{iG8Fu5V%YDeC7P45E-=d>x!q6o2nt%vtc z5{q`kK3B8i$9SigorfJzWkR~zMsOU9bm`&xCi$gC19f;?R>sRFIKN#Xf9-wh_yED?Vjvcl zOV=^85W7e)H%SObkMc9^3Q;U-dm-ig$fgUi!HB_g)Z%xka2pB8Y{KRY!w>ICudd}d zykj`@kJ>nT-5cx9e={bpL;||8$?a!h0@SspRJ#8P9(l1;XM9|4!@34Cf) zNLX>82JnvBhF(~x&P26n<|CF^oNU#CJ%N)zF5$!~cl{QS$Y&a8BUJb6=yVQQkj>yXDv8GY=`xEn7j z>)Ml^9Pq=+U@t7&oDoWA5R}{J{;UGEMqF;WE#9fV{1=e>>-B_dgR@+b0v19C`5vAv zMEuIFwhOoL)FHMwaQ delta 1464 zcmV;p1xNbk3+4-uEPrTEWNJuxQd&uQF-dM?S~7KWYBVc1aWP6cWN}ANX;@1{P**Qm zW>POONeV_QPEBq}VM$9^XHa)AL`QRIbumLUNlq&-ZfbB^M0aFwI74t$dR8|yQ3@?S zAaiqQEoEdfH8n9gAbMz4M@V-dLpXF-N@OomZ)RmkFLpOVL`E}ES8hRMS4MegY-~k$ zPj@&pSxHTGZ#P133PgHHb2d^nZB%bqSWr()XICqEb5T`iI9Et|W>I%}R5(OVcu#ap zYAaB4k?|LQaxYdYMOQOZLvJ;Dbt^AfIZ#0{QZa2SW@1)|UNs(FKBcW~S zUK@&k;-N0>S4jC0e}Nh{rH~T@9?aeBjm$&WUgRnB-d}CaYufaoDbvGZwuwNx&{nve zShsggo7OMDvilBToNyK{$EAW`^zYw3iZd$BtPea+P zZk{p(m-SiVXJ&mbgk$e(FrTyYP3p5xg>92fpPgWnu9J6dJfL^V{Nc% zX-VhCnY@_!+gLxX43o&WK=)1_;$iv=Qo zxc+hW!vs6=VnuWfy)Dx{P?wry2w$MgvR;qRr-p;&UP$XC(3cC(XsL-2ZVx$cj=Fy_ zOFYlZQIS+zw{$%;acJ1mZfUdM`TM$Z0Qh8HYfFl(+L%h)Ic2ow6-{yiU$4o$w?Gk% z1P`j%{6gt3?&-=J~U4jDdN@cgdCR$ax4rL z*gY(}A7U_$=qEXh7Vdsv+gzPUTQb{NIB+iW08L4aOzD>*q0@j8qqIDGtNwU@SX6-O zvPpVhq|;A8ae`=MvgmQgbABYaOF;b^Q7OgMzOVq#Y?J1#?{%oqs{=eoWmiDkM(}Pr zsYU11*hzy|D#-*#4Z9)ONCmPDv)1lVm@=J>kF9QR8fVsAGYQ=~dgsvs8r7vCTaTBa zXklu`Sp>`RK4&LS!r0ISN2Mlz;^{3u=CypC<7@_x#|4R-!^@5{t!Z~~uu3tz6a`*_ zUbO7QaKJGJ{Csh$-um!7ON-^SfA&@Z{QWQniWim%U6~_f@TEn>?J#=_zj&TC|;}6-&<~maP)@(3#MUc<^jEa5_re$^rTD7)33Ah?;qRdIUfY zwpu4tL#4j8p4T4Tcl$Bvik);AlFByUULt zhgm1wzF;OpL1#FJd_fB5gq+%Gz3bwwfYvR0Fj_=tWV#k`q@}r}8)0lZ3=1Jw z;3V-8*C8khXW+`$J7NKIg;}vSYm5xkTZeu?2}QeC@s=<#2AUNso+GqKp=%bLfk88S zD`Cx`Nv!QyB*wK_5UHv%Pk;yrYZFbiX@9v&n^mOV|9x&dSmc&W^Qg9-2{8%VoTV(rf#L>HMT(4jP3(~pU(qqenNdKlya<`rpL|4srhP`d}Y>AAght>Xvfq&8t0T@A2@$rQMV1 j=`&erkk9V?+Wmgw!`*oPa%ZQ?!*37I8eaj!!EgTqH`k|Y delta 443 zcmV;s0Yv`t1M&lqEPp{yXIf%XNN93WFhO!^ICO4oXm58gWppq}Qa5ifZ%%naIA}Rg zSTtrrSqf28ODjTRFE(Q3Rp-_cUXB+M>9@!dTV-GGIwo+A$eDTqFS%w`8qVg3dA`=j!BHX9`kMFiLu3WkO_gV^mN>S3+brF7EL~uxFQfqd3 zV|Yh&FEdweL~utq3TrtlZBtZiFiv+%D`_-nc}#auFE%$zS~gTeLUwgmb#P}(PiZnS zWN&Lp3N0-yAZRZ!Wj1VPMno`rMM^YNLvdO;Q)*RaGj?TJa(FRAb5&zuH*8F4Nmw&5 z3PG;wNk&5{=zr?(^#F$_Ux2vQ&a<>V&B0WSwGusIHYjck;JUmA=d~;E-9A@kfvAg_ zkAD%L^AuBWl<(@%$?XJ^ZQH!@3s=ab)3b^Vfhm(^e0#H>AXL6=)1Z?pS%cvI&=`!@ zIyoUz{i#P>ib)#xZK)_`jpQXq==gTAS2Sc-n{bAL!kF*t2#WoTJtd!MX| zNV}CN6dipUy;Tt0I%oA5ZW(1%u%&heINE&3gbBUj?rGj~l|U>pa!qa_Wq*_{i=K8M zE4(P?LE5-&)cQNM-|3_|I(a0fTe}I@)hK&vL~Ik^F?(rJgnl+*^F4$wW7SBKf;jzA zVJ<~jy;qBsa;bsesM$rY;}1~Cp3ZO<`7H=_47|bKj3I# Ev^Gx6a{vGU diff --git a/secrets/consul.d/samfelag-server-thingvellir.pem.age b/secrets/consul.d/samfelag-server-thingvellir.pem.age index 0fed76992db043bc73facf0b782224100ccf885b..ec77a94fc1c5bfe9a163daff2dec8692b274cdbe 100644 GIT binary patch delta 1274 zcmV#(ad30++S4D1ZY(Z!%LorTgGh$g}Syn=3P<1p^XGb(< zMsibkRSHp0R%1azXiaA}D>X}Jc{oF6P-b*6Z(1>SI7UZlXJ>6IMqxHEbyIe7RSGRW zAaiqQEoEdfH8n9gAZt!)X--ifZbL?QWKLLDVKHzqOK56MZhvk}P)jj1O*eNjdP7P< zcy4DaH+4cVMR`|E3Q=KLOl(XsXDew}aBg>FW^qe5bw*Ema&Rw2c2-YLFk(b#c{68B zHdr}#3N0-yAbDwMP-16kVMA9>GcrzkWlv6TFn4M*RCri#XlHU*D`8bcL3CMfaW`>I z3MT7j(G7)>X@9zAcZ6gVif%A@;RyZBZt2FxOsKh@ihaW>vD!X@UVH$w$~n*jq8OfgxY`Qu84UH5=+UZ1%P!`%CdJk`q`Mk4 z?X6twl}Ws7Q!uJ>nn;lm-Qbtg5muPv;KknH#D98Mbc|0CChLSDkbED_tbm#=e^>Wz z6yV)JEg2I*;t0Qv5-_m@#zi@C`9RSYZ~^mKd{@VlY_pY!#Y0R2C6SiWt0V?iw|#?@+(l=eZLnmOT19N9|Yztj8}xYyjDuS$NJNwhzLK zFMrPn2w1&Whe2F%yB^>?xAvXQX^!^EnQFs~=Uo<%W8QFX>0TQRy5nXb%pbi1rN(U) zn+%|4`I~S#U4Ol(%UQj0|7+^#M4D{-+JEKaL522}RrrPh8!BgDQEizEu+31jBBlE= zU^dL~i^h5mPav|jwq0<&LAZ{KXCvl*ZaI9-X%{MB#DrPYOeFs}njN8wDNQUvA4RB~ zK|jcWzTNOwh!My;zuml)v4LOc^eq75o8=mGk76t%=P?Z-t1r#&tBwlHQ=QzgLWOtIBCa! z$HRoL(b3HMz!0M*vA{|D9^!OAu3C=?;X?A=(XWB){A7>wq2olABBC|A39KLY-HjW} zm4&ts;hfvb-IZH|fd^{~UvSF6S|U*|i8BAsO>-=;n3IJy*PUjP6A delta 1274 zcmV4-FjZApPgY|} zR5(UqVOKduR$^#T3UqfgY*jC2YDz0%S~fOAWpqU=ZFEaxNjWiAMl^3ja&u})HAZt- zLr_jx3N0-yAWunJD??C2ICNJ_WH4zkQ(7=iY-M(DFE(0LRZTc6c4Km7Q%h)4YHDds z3aoCEu2B4q)PDgSWxz;r1&hK)zjBlpe1+wODU06XEQ9=>>*B;fKBd#$@y-yDWR(TJ%6<-ch@MLql` z9&Frs?PwdtjHP;ooJel2<@KtZmhS{%_yB`PLoo`r?0-hfhW*e{bq_d=?})B!=X9E9 zla2#Fg_nK>b#oOCe$ls7>FO8OMMG9f*Yiu_wnEjb&g)aOU)% za4~Kqaov;Z%M_&SV`x3vt5Qldk%H;6^xGfw6#A*}vgnyFz2V51hsTlaV`7n|x-t3G z9xV1pM1TKbxD#9p+!(ALiyp!{GB|^apT`q7IMVSJgUNs_w4n2KJXXc@(SzHLTgcVi zGpeJS%(HVO6;PS7V$>Fffk1wcq~=KVFrqyJ&X9sEcT{SgxWP(Q4Fz)cmQi zvwxw{Qb*ehE1p8@qZ_{fKoFvMKMiE&wzy^Gk_Ad-?n6(FsM+( zo0Wj0)EN6F<_!j@0PYW(b=G}I^!Pp&%mT%?({vFdOc!9^pV18x@K^sE`X_^+wRyw4 zeGH9S*(vpcr@ioc@FqK3w!xpr*p@Nd5$t@`OiifnL1gQmj;C7px3S%Gz%9bQgjArZx_N)tBy z=9c}N`>j#bxWQaQ!)p=Q*$zgMU-akiMz_O;1sy){N}BE;Vv4th4v*zO$>6-o==MB3 zK-X5R`;y6oY+SfqZwovcY|0Nlr*lq7a+M6H4j%&3>u||F6m=UY+*izjFWL(Zvpy_! z^g@qoC=s{~^^MW)%z)b@RwR&wN$#hlsuDqlY12~S?+qw;m{5qBI5xZfkpW}Dmu@U^ kRG#PDdj~&(;0XwIAHGa@^^76--HseJp{~Rikkq-pt#PPV8vp7ccS(59Y5@T;ZS!T|HKuK%`i;!K~ zkk&*V#MPRtH&GOfH`6F9O`_c~|6`l+1JrWe@Z?r{eM!#oNfQB!Z4j|Vbh-IF-qfm@ zEN}`JBOunmNNCA3S&v3(Yk);F7O)wUGwo?z+2VDoCl!_o>^g79L|^kE<9T73_(qjF zxdrCPHvwKPOce;y+_w#`+X_Zdp`6l=>dl(CzE)XRAVKK;qyuy>$NHH$=^_R+G_}Kw z>0X%6c^2icSJzW197~qtI|G<NLwjSTh2pE#|40 zSZO`2pq{hV#BQ9W!liex@lf0!6t8bRU)l#l_Q8dtmG0ME3}2j)KCPgg>jm8X@%NZd z&mZpHKD~N;=hXdQ%QyG5i{I=gd+(oJe)^FXz8_sX_w()I-R|P?pD&C355GUd9B!=M Ned)b=bl4~^{R6!5wcr2% literal 0 HcmV?d00001 diff --git a/secrets/nomad.d/consul-token-server.json.age b/secrets/nomad.d/consul-token-server.json.age new file mode 100644 index 0000000..0bdb95a --- /dev/null +++ b/secrets/nomad.d/consul-token-server.json.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 GWuf0Q 4t1WD76CN3hhc3073abxAsobKWKDX+yemaIxHy8PiDk +9O2cAi7MJVqGiTNnOIez4MACEYMB3/YyLSz4Z4YWe2c +-> ssh-ed25519 kNjiNQ WaXpqZbqRuLo9q241VclrLfHOQ94VRB8D0RY2es8KBM +P6iayA+emjHOEg59EzXU32RCRKZaGS0j7d3wk4Is6tQ +--- QsnjyrQe2d1K59Q/i3/NIXaK87rsDf4neQS5sKJ6yeY +&8"ڨ?4 ? +$!Yju*8cDC!" |hV9N>lvDH1V2 XCA'!-kрBˡ \ No newline at end of file diff --git a/secrets/nomad.d/consul-token.json.age b/secrets/nomad.d/consul-token.json.age deleted file mode 100644 index 1c50fc6..0000000 --- a/secrets/nomad.d/consul-token.json.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 GWuf0Q /XcgfDBTfuPwmHppIuebKrUG7kwyWvwvV9s4Uz8F5Vc -T9a+SfUQljNue/MuLGYM88RdeL//HFHVi73h1HIxKR8 --> ssh-ed25519 zhVGHw TzasXNF1RyeJm0AJh+bKo0+8jJUeTdL38/YpfX96cDU -hHgwS5htLLV9gXBlUtyszaLQtDB5dGUc3qmWSOmSt1E --> ssh-ed25519 kNjiNQ a3ZzkIGDlAMvEUTXikMteCe969a/qxKog1KdLCmYxBY -F+sGFzXnv5SYjvI79xf0yw5Qx6azIdt9EAd6A0Fc5wg ---- EB4QDFEC5bbpBEUq5r1lvlnk2g5yV4wrTAIOM30F50Q -;Cs?Q\sqrb;BXnI%Xqx JU:KQtAzX;x* kfK0V-n/P \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 8859936..3d65e62 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -30,5 +30,6 @@ in "consul.d/agent-token-thingvellir.json.age".publicKeys = thingvellir; # -- Nomad ------------------------------- - "nomad.d/consul-token.json.age".publicKeys = samfelag-hosts; + "nomad.d/consul-token-client.json.age".publicKeys = samfelag-hosts; + "nomad.d/consul-token-server.json.age".publicKeys = thingvellir; }