Added consul server config

2024-02-13 00:07:13 +01:00
parent ae58914cc2
commit a09aedab3f
17 changed files with 112 additions and 44 deletions
--- a/config/consul.d/server.json
+++ b/config/consul.d/server.json
@@ -9,8 +9,8 @@
      "verify_incoming": true,
      "verify_outgoing": true,
      "ca_file": "/etc/consul.d/certs/consul-agent-ca.pem",
-      "cert_file": "/etc/consul.d/certs/samfelag-server-consul-0.pem",
-      "key_file": "/etc/consul.d/certs/samfelag-server-consul-0-key.pem"
+      "cert_file": "/etc/consul.d/certs/samfelag-server-consul.pem",
+      "key_file": "/etc/consul.d/certs/samfelag-server-consul-key.pem"
    },
    "internal_rpc": {
      "verify_server_hostname": true
--- a/docs/consul.org
+++ b/docs/consul.org
@@ -1,4 +1,16 @@
 #+title: Consul
+* Server setup
+** Create a server keypair
+Decrypt the CA (from the agenix secrets)
+#+begin_src bash
+agenix -i ~/.ssh/id_reykjavik -d consul.d/consul-agent-ca.pem.age > ~/tmp/consul-agent-ca.pem
+agenix -i ~/.ssh/id_reykjavik -d consul.d/consul-agent-ca-key.pem.age > ~/tmp/consul-agent-ca-key.pem
+#+end_src
+Create the keypair using consul:
+#+begin_src bash
+nix-shell -p consul
+consul tls cert create -server -dc samfelag
+#+end_src
 * ACLs
 ** Policies
 *** Node Policy
--- a/hosts/reykjavik/secrets.nix
+++ b/hosts/reykjavik/secrets.nix
@@ -2,29 +2,11 @@

 {
  age.secrets = {
-    # Consul -------------------------------
-    "consul.d/gossip.json" = {
-      file = ../../secrets/consul.d/gossip.json.age;
-      owner = "consul";
-      group = "consul";
-      mode = "644";
-    };
-    "consul.d/consul-agent-ca.pem" = {
-      file = ../../secrets/consul.d/consul-agent-ca.pem.age;
-      owner = "consul";
-      group = "consul";
-      mode = "644";
-    };
    "consul.d/agent-token-reykjavik.json" = {
      file = ../../secrets/consul.d/agent-token-reykjavik.json.age;
      owner = "consul";
      group = "consul";
      mode = "644";
    };
-    # Nomad -------------------------------
-    "nomad.d/consul-token.json" = {
-      file = ../../secrets/nomad.d/consul-token.json.age;
-      mode = "644";
-    };
  };
 }
--- a/hosts/thingvellir/default.nix
+++ b/hosts/thingvellir/default.nix
@@ -45,7 +45,10 @@ with lib;
    # - Server ----------------------------------
    server.consul = {
      enable = true;
+      server = true;
      agent-token = config.age.secrets."consul.d/agent-token-thingvellir.json".path;
+      server-cert = config.age.secrets."consul.d/consul-server-thingvellir.pem".path;
+      server-cert-key = config.age.secrets."consul.d/consul-server-thingvellir-key.pem".path;
    };
    server.nomad = {
      enable = true;
--- a/hosts/thingvellir/hardware.nix
+++ b/hosts/thingvellir/hardware.nix
@@ -17,6 +17,12 @@
      device = "/dev/disk/by-label/nixos";
      fsType = "ext4";
    };
+
+    "/mnt/vatnajokull" = {
+      device = "vatnajokull:/mnt/raid1";
+      fsType = "nfs";
+      options = [ "x-systemd.automount" "noauto" "noatime" "x-systemd.idle-timeout=600"];
+    };
  };

  swapDevices = [
--- a/hosts/thingvellir/secrets.nix
+++ b/hosts/thingvellir/secrets.nix
@@ -2,29 +2,23 @@

 {
  age.secrets = {
-    # Consul -------------------------------
-    "consul.d/gossip.json" = {
-      file = ../../secrets/consul.d/gossip.json.age;
-      owner = "consul";
-      group = "consul";
-      mode = "644";
-    };
-    "consul.d/consul-agent-ca.pem" = {
-      file = ../../secrets/consul.d/consul-agent-ca.pem.age;
-      owner = "consul";
-      group = "consul";
-      mode = "644";
-    };
    "consul.d/agent-token-thingvellir.json" = {
      file = ../../secrets/consul.d/agent-token-thingvellir.json.age;
      owner = "consul";
      group = "consul";
      mode = "644";
    };
-    # Nomad -------------------------------
-    "nomad.d/consul-token.json" = {
-      file = ../../secrets/nomad.d/consul-token.json.age;
+    "consul.d/consul-server-thingvellir.pem" = {
+      file = ../../secrets/consul.d/consul-server-thingvellir.pem.age;
+      owner = "consul";
+      group = "consul";
      mode = "644";
    };
+    "consul.d/consul-server-thingvellir-key.pem" = {
+      file = ../../secrets/consul.d/consul-server-thingvellir-key.pem.age;
+      owner = "consul";
+      group = "consul";
+      mode = "600";
+    };
  };
 }
--- a/modules/server/consul.nix
+++ b/modules/server/consul.nix
@@ -19,6 +19,16 @@ in
      description = "Agent token config file (should be secret)";
    };

+    server-cert = lib.mkOption {
+      type = lib.types.str;
+      description = "Server certificate (should be secret)";
+    };
+
+    server-cert-key = lib.mkOption {
+      type = lib.types.str;
+      description = "Server certificate key (should be secret)";
+    };
+
  };
  config = lib.mkIf cfg.enable {
    services.consul = {
@@ -30,6 +40,8 @@ in
      };
    };

+    # --- Config files ---------------------------------
+
    environment.etc = {
      consul-agent-ca = {
        # Consul agent CA
@@ -62,6 +74,16 @@ in
        target = "consul.d/server.json";
        source = ../../config/consul.d/server.json;
      };
+      consul-server-cert = {
+        # Consul Server Certificate
+        target = "consul.d/certs/samfelag-server-consul.pem";
+        source = cfg.server-cert;
+      };
+      consul-server-cert-key = {
+        # Consul Server Certificate Key
+        target = "consul.d/certs/samfelag-server-consul-key.pem";
+        source = cfg.server-cert-key;
+      };
    } else {
      consul-client-cfg = {
        # Client config
@@ -70,6 +92,23 @@ in
      };
    });

+    # --- Secrets ---------------------------------
+
+    age.secrets = {
+      "consul.d/gossip.json" = {
+        file = ../../secrets/consul.d/gossip.json.age;
+        owner = "consul";
+        group = "consul";
+        mode = "644";
+      };
+      "consul.d/consul-agent-ca.pem" = {
+        file = ../../secrets/consul.d/consul-agent-ca.pem.age;
+        owner = "consul";
+        group = "consul";
+        mode = "644";
+      };
+    };
+
    # networking.firewall.allowedTCPPorts = [ 22 ];
  };
 }
--- a/modules/server/nomad.nix
+++ b/modules/server/nomad.nix
@@ -20,6 +20,9 @@ in
      enable = true;
      extraSettingsPaths = [ "/etc/nomad.d" ];
    };
+
+    # --- Config files ---------------------------------
+
    environment.etc = {
      # Common configuration
      nomad-common-cfg = {
@@ -44,6 +47,15 @@ in
      };
    };

+    # --- Secrets ---------------------------------
+
+    age.secrets = {
+      "nomad.d/consul-token.json" = {
+        file = ../../secrets/nomad.d/consul-token.json.age;
+        mode = "644";
+      };
+    };
+
    # networking.firewall.allowedTCPPorts = [ 22 ];
  };
 }
--- a/secrets/consul.d/agent-token-reykjavik.json.age
+++ b/secrets/consul.d/agent-token-reykjavik.json.age
--- a/secrets/consul.d/agent-token-thingvellir.json.age
+++ b/secrets/consul.d/agent-token-thingvellir.json.age
--- a/secrets/consul.d/consul-agent-ca-key.pem.age
+++ b/secrets/consul.d/consul-agent-ca-key.pem.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 GWuf0Q MD7uGzKIk90mRQJVI/HKk9MMbI3HwkwwKEoLc/R8qyQ
+m2K5DUI+O+ufDWl1faCwR+9nA8vxAQW5pptwgEhzMJI
+--- JkkPxFdtVCa3MQqLCpJ7GBajuyQAyHjwr6fbCV81qdA
+6Jèü‚J´Ïå7DÔYb¥@—¨3z´9WnÅC‰R4Hò-´ÄÒš	{Fo -ºZ£J
+J¡âšDaœ´Ž~‘ßÊDLy¡\rºE¯GAÀ‘œ„bªfj`£!Sfi+÷w4‘†£f¨•Aâ<>çç1y‚ìè¸ûÚe»2`¢öL>Â%ƒé€'oóÞÂ"'é”hÔµä;3Z‰å§‘H•ëìPaÐó@´×ÎŠO¶0[¸¯¢ŠVIî‘|5þºcƒåÖSªÈ—ßó#Ú3U2|,+Z«2BºaªX*—Þ0Ÿ q¬¢R‚g¨ðl£ÏãûP‡z†5„D*#È×m¿
--- a/secrets/consul.d/consul-agent-ca.pem.age
+++ b/secrets/consul.d/consul-agent-ca.pem.age
--- a/secrets/consul.d/gossip.json.age
+++ b/secrets/consul.d/gossip.json.age
--- a/secrets/consul.d/samfelag-server-thingvellir-key.pem.age
+++ b/secrets/consul.d/samfelag-server-thingvellir-key.pem.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 GWuf0Q rk/mFir7HPBGZQnjEXkkC1W4dYIykg4nyZO5Bre1X1w
+mSlOb7R0yGvN7tZpn7IJ1u+bdFmkq6aV49CiqsQVgb0
+-> ssh-ed25519 kNjiNQ ceVCk3ZC2MK51rz3sHH18mhehYwoBjexqGpx6VAtkRk
+vpTWwICA+aXfJPWY0Q0w14QgF9iy01aWgb7LJJcUiwc
+--- GePxJgGNDXcySj0cGXLsbdPDC6BuH5kynzaIkKpDCVw
+<EFBFBD>ô-3À‡\«²aQ¼úJPÿe^ˆyfâÓ“»kI$E®kPƒÝ®{Ž…™4{Ÿ¬ŠH»•(}½UÜ:gõneT°¥v8Ú|È„	½áîiÞr•@,1rMn!e”-‹žv +¼(æAÚ¸mÔú;µßé¤9:y$¦[»	×Õ({jDlß1iR„~6aó=„/cÕH’‚8ýQa.EX½W‹•r©<72>ß¨ÙLS“c4Œž¶#¹="%TÓ(±Â‡±Ö„»ŸCH5qY¢=jvÎ)%Eö<>¦orÕÑ›yø<ö}<7D>DÂß´Ï1[×ŽluyN'4<>åæLõóOA?àha´
--- a/secrets/consul.d/samfelag-server-thingvellir.pem.age
+++ b/secrets/consul.d/samfelag-server-thingvellir.pem.age
--- a/secrets/nomad.d/consul-token.json.age
+++ b/secrets/nomad.d/consul-token.json.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 GWuf0Q xVuLRTTmTLzFJKyh9RIdq0ZEgoIc6lQs4TlQ9ypb6As
-TtblfYeBV1RpE8717ShUFh2wLmM5K5PviOVr0EyG4Qk
-> ssh-ed25519 zhVGHw hD2BDVwJMT1nQKvqFU04ih71pFhweIXK9+gk5KzbfGY
-KmyxI4yLdlnbvAbENN9bLHFNpB8Hz6EVCLeQNsaHEho
-> ssh-ed25519 kNjiNQ 0WpE6n5Cu0F/r0LOpWV8DKtx90xssu6rA706/D0I+Q0
-nCSLiH6A5jsne2Z4tLq05EA3FDYThPvavJqtn4LfO5I
--- qtwiXJDiyOdy3XRMZLdwEWdDkpHVn+COhqmHR86cDJM
-ž3…ô<EFBFBD>0Üàâl½¹Çë’ëÞ¨UÈ»Ç’¥-B<>©²fuÇZ#.´ñµ^q¢™<C2A2>ÒåTyi8Ç=ÂÈð\ße'ðY„¤ôKÐ¯®É¸)g ´<1E>SvýÅ7ÇÔ[®Ì"&ó.H“éÝ·ÖÉþ8ôò]í	¨˜‚xµg_þßÐjÆ
+-> ssh-ed25519 GWuf0Q /wrzzNrN9a2vClZgXvEOVVbH2gYBbVZusrctTJBCOgs
+e1++RnaBdjxb4nFRfRyzWbF+WVOMXXdwxM+jFEmW2JA
+-> ssh-ed25519 zhVGHw 0j9Bpte/gSXNP4hvVGLFNVQe5U7gi74T0U6bh9MKyG4
+pePoX2imP6a9KE8jA0pTw9RgtQ+jCoo+Co9GZTmpY64
+-> ssh-ed25519 kNjiNQ WbUvxmW6MSYBUrpzVgabst/j4y9Jra/osVpPkmo6tHM
+2NpznkHXxCR+f9zQ6GXu7Za5QGucGH4Gd7dZneG/R5c
+--- ku5kAmF+qTUAlyzlEX4ANNd+g86+dJ33R50umNUma3A
+‡š`ÔlMq-:UáéŸe+ëÈëúß„•ÂY<>BÖ¨úp&0›¯ºcëjÃm²O˜«ò©í
+?
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -19,6 +19,12 @@ in
  # -- Consul -------------------------------
  "consul.d/gossip.json.age".publicKeys = samfelag-hosts;
  "consul.d/consul-agent-ca.pem.age".publicKeys = samfelag-hosts;
+  "consul.d/consul-agent-ca-key.pem.age".publicKeys = reykjavik;
+
+  # Server certificates
+  "consul.d/samfelag-server-thingvellir-key.pem.age".publicKeys = thingvellir;
+  "consul.d/samfelag-server-thingvellir.pem.age".publicKeys = thingvellir;
+
  # Agent tokens
  "consul.d/agent-token-reykjavik.json.age".publicKeys = reykjavik;
  "consul.d/agent-token-thingvellir.json.age".publicKeys = thingvellir;