From a09aedab3f735aed00234c53f650505a334e3724 Mon Sep 17 00:00:00 2001
From: marc <marc@sastre.cat>
Date: Tue, 13 Feb 2024 00:07:13 +0100
Subject: [PATCH] Added consul server config

---
 config/consul.d/server.json                   |   4 +-
 docs/consul.org                               |  12 ++++++
 hosts/reykjavik/secrets.nix                   |  18 --------
 hosts/thingvellir/default.nix                 |   3 ++
 hosts/thingvellir/hardware.nix                |   6 +++
 hosts/thingvellir/secrets.nix                 |  26 +++++-------
 modules/server/consul.nix                     |  39 ++++++++++++++++++
 modules/server/nomad.nix                      |  12 ++++++
 .../consul.d/agent-token-reykjavik.json.age   | Bin 364 -> 364 bytes
 .../consul.d/agent-token-thingvellir.json.age | Bin 474 -> 474 bytes
 secrets/consul.d/consul-agent-ca-key.pem.age  |   6 +++
 secrets/consul.d/consul-agent-ca.pem.age      | Bin 1510 -> 1510 bytes
 secrets/consul.d/gossip.json.age              | Bin 498 -> 498 bytes
 .../samfelag-server-thingvellir-key.pem.age   |   7 ++++
 .../samfelag-server-thingvellir.pem.age       | Bin 0 -> 1302 bytes
 secrets/nomad.d/consul-token.json.age         |  17 ++++----
 secrets/secrets.nix                           |   6 +++
 17 files changed, 112 insertions(+), 44 deletions(-)
 create mode 100644 secrets/consul.d/consul-agent-ca-key.pem.age
 create mode 100644 secrets/consul.d/samfelag-server-thingvellir-key.pem.age
 create mode 100644 secrets/consul.d/samfelag-server-thingvellir.pem.age

diff --git a/config/consul.d/server.json b/config/consul.d/server.json
index b49445f..716357e 100644
--- a/config/consul.d/server.json
+++ b/config/consul.d/server.json
@@ -9,8 +9,8 @@
       "verify_incoming": true,
       "verify_outgoing": true,
       "ca_file": "/etc/consul.d/certs/consul-agent-ca.pem",
-      "cert_file": "/etc/consul.d/certs/samfelag-server-consul-0.pem",
-      "key_file": "/etc/consul.d/certs/samfelag-server-consul-0-key.pem"
+      "cert_file": "/etc/consul.d/certs/samfelag-server-consul.pem",
+      "key_file": "/etc/consul.d/certs/samfelag-server-consul-key.pem"
     },
     "internal_rpc": {
       "verify_server_hostname": true
diff --git a/docs/consul.org b/docs/consul.org
index b8efafc..6a416db 100644
--- a/docs/consul.org
+++ b/docs/consul.org
@@ -1,4 +1,16 @@
 #+title: Consul
+* Server setup
+** Create a server keypair
+Decrypt the CA (from the agenix secrets)
+#+begin_src bash
+agenix -i ~/.ssh/id_reykjavik -d consul.d/consul-agent-ca.pem.age > ~/tmp/consul-agent-ca.pem
+agenix -i ~/.ssh/id_reykjavik -d consul.d/consul-agent-ca-key.pem.age > ~/tmp/consul-agent-ca-key.pem
+#+end_src
+Create the keypair using consul:
+#+begin_src bash
+nix-shell -p consul
+consul tls cert create -server -dc samfelag
+#+end_src
 * ACLs
 ** Policies
 *** Node Policy
diff --git a/hosts/reykjavik/secrets.nix b/hosts/reykjavik/secrets.nix
index c81f98a..afc14d2 100644
--- a/hosts/reykjavik/secrets.nix
+++ b/hosts/reykjavik/secrets.nix
@@ -2,29 +2,11 @@
 
 {
   age.secrets = {
-    # Consul -------------------------------
-    "consul.d/gossip.json" = {
-      file = ../../secrets/consul.d/gossip.json.age;
-      owner = "consul";
-      group = "consul";
-      mode = "644";
-    };
-    "consul.d/consul-agent-ca.pem" = {
-      file = ../../secrets/consul.d/consul-agent-ca.pem.age;
-      owner = "consul";
-      group = "consul";
-      mode = "644";
-    };
     "consul.d/agent-token-reykjavik.json" = {
       file = ../../secrets/consul.d/agent-token-reykjavik.json.age;
       owner = "consul";
       group = "consul";
       mode = "644";
     };
-    # Nomad -------------------------------
-    "nomad.d/consul-token.json" = {
-      file = ../../secrets/nomad.d/consul-token.json.age;
-      mode = "644";
-    };
   };
 }
diff --git a/hosts/thingvellir/default.nix b/hosts/thingvellir/default.nix
index df6ce59..b767002 100644
--- a/hosts/thingvellir/default.nix
+++ b/hosts/thingvellir/default.nix
@@ -45,7 +45,10 @@ with lib;
     # - Server ----------------------------------
     server.consul = {
       enable = true;
+      server = true;
       agent-token = config.age.secrets."consul.d/agent-token-thingvellir.json".path;
+      server-cert = config.age.secrets."consul.d/consul-server-thingvellir.pem".path;
+      server-cert-key = config.age.secrets."consul.d/consul-server-thingvellir-key.pem".path;
     };
     server.nomad = {
       enable = true;
diff --git a/hosts/thingvellir/hardware.nix b/hosts/thingvellir/hardware.nix
index 8d24782..f928552 100644
--- a/hosts/thingvellir/hardware.nix
+++ b/hosts/thingvellir/hardware.nix
@@ -17,6 +17,12 @@
       device = "/dev/disk/by-label/nixos";
       fsType = "ext4";
     };
+
+    "/mnt/vatnajokull" = {
+      device = "vatnajokull:/mnt/raid1";
+      fsType = "nfs";
+      options = [ "x-systemd.automount" "noauto" "noatime" "x-systemd.idle-timeout=600"];
+    };
   };
 
   swapDevices = [
diff --git a/hosts/thingvellir/secrets.nix b/hosts/thingvellir/secrets.nix
index b9b3520..212ae42 100644
--- a/hosts/thingvellir/secrets.nix
+++ b/hosts/thingvellir/secrets.nix
@@ -2,29 +2,23 @@
 
 {
   age.secrets = {
-    # Consul -------------------------------
-    "consul.d/gossip.json" = {
-      file = ../../secrets/consul.d/gossip.json.age;
-      owner = "consul";
-      group = "consul";
-      mode = "644";
-    };
-    "consul.d/consul-agent-ca.pem" = {
-      file = ../../secrets/consul.d/consul-agent-ca.pem.age;
-      owner = "consul";
-      group = "consul";
-      mode = "644";
-    };
     "consul.d/agent-token-thingvellir.json" = {
       file = ../../secrets/consul.d/agent-token-thingvellir.json.age;
       owner = "consul";
       group = "consul";
       mode = "644";
     };
-    # Nomad -------------------------------
-    "nomad.d/consul-token.json" = {
-      file = ../../secrets/nomad.d/consul-token.json.age;
+    "consul.d/consul-server-thingvellir.pem" = {
+      file = ../../secrets/consul.d/consul-server-thingvellir.pem.age;
+      owner = "consul";
+      group = "consul";
       mode = "644";
     };
+    "consul.d/consul-server-thingvellir-key.pem" = {
+      file = ../../secrets/consul.d/consul-server-thingvellir-key.pem.age;
+      owner = "consul";
+      group = "consul";
+      mode = "600";
+    };
   };
 }
diff --git a/modules/server/consul.nix b/modules/server/consul.nix
index 50ab59b..b4f3233 100644
--- a/modules/server/consul.nix
+++ b/modules/server/consul.nix
@@ -19,6 +19,16 @@ in
       description = "Agent token config file (should be secret)";
     };
 
+    server-cert = lib.mkOption {
+      type = lib.types.str;
+      description = "Server certificate (should be secret)";
+    };
+
+    server-cert-key = lib.mkOption {
+      type = lib.types.str;
+      description = "Server certificate key (should be secret)";
+    };
+
   };
   config = lib.mkIf cfg.enable {
     services.consul = {
@@ -30,6 +40,8 @@ in
       };
     };
 
+    # --- Config files ---------------------------------
+
     environment.etc = {
       consul-agent-ca = {
         # Consul agent CA
@@ -62,6 +74,16 @@ in
         target = "consul.d/server.json";
         source = ../../config/consul.d/server.json;
       };
+      consul-server-cert = {
+        # Consul Server Certificate
+        target = "consul.d/certs/samfelag-server-consul.pem";
+        source = cfg.server-cert;
+      };
+      consul-server-cert-key = {
+        # Consul Server Certificate Key
+        target = "consul.d/certs/samfelag-server-consul-key.pem";
+        source = cfg.server-cert-key;
+      };
     } else {
       consul-client-cfg = {
         # Client config
@@ -70,6 +92,23 @@ in
       };
     });
 
+    # --- Secrets ---------------------------------
+
+    age.secrets = {
+      "consul.d/gossip.json" = {
+        file = ../../secrets/consul.d/gossip.json.age;
+        owner = "consul";
+        group = "consul";
+        mode = "644";
+      };
+      "consul.d/consul-agent-ca.pem" = {
+        file = ../../secrets/consul.d/consul-agent-ca.pem.age;
+        owner = "consul";
+        group = "consul";
+        mode = "644";
+      };
+    };
+
     # networking.firewall.allowedTCPPorts = [ 22 ];
   };
 }
diff --git a/modules/server/nomad.nix b/modules/server/nomad.nix
index 72b9091..7c2ae74 100644
--- a/modules/server/nomad.nix
+++ b/modules/server/nomad.nix
@@ -20,6 +20,9 @@ in
       enable = true;
       extraSettingsPaths = [ "/etc/nomad.d" ];
     };
+
+    # --- Config files ---------------------------------
+
     environment.etc = {
       # Common configuration
       nomad-common-cfg = {
@@ -44,6 +47,15 @@ in
       };
     };
 
+    # --- Secrets ---------------------------------
+
+    age.secrets = {
+      "nomad.d/consul-token.json" = {
+        file = ../../secrets/nomad.d/consul-token.json.age;
+        mode = "644";
+      };
+    };
+
     # networking.firewall.allowedTCPPorts = [ 22 ];
   };
 }
diff --git a/secrets/consul.d/agent-token-reykjavik.json.age b/secrets/consul.d/agent-token-reykjavik.json.age
index f292dfa33de50e31cf64deb71b0688a7921875b9..67b184586ee8933ae7579907c547d0a2f5b340c6 100644
GIT binary patch
delta 329
zcmV-P0k;0^0_*~iEPqTdHDy;?YEVU4HCb^qa7b%2XIep3T10a*X=O4+X=idnaCS2?
zX<0QwV+vJ8cyKawOm|d9Sa41<a92`qOE@=oGGcQ%SW<dKZBKbLVK+^0Gg?hJYYHtb
zEg)`2RC+l#X;wF4b!cWyXI6J{GI&unNjY^gYg#K>a#l=ZMt^#7K~GL}M^Os=1Jg0x
zdOmvSn|x{h8mvb6$l1JCWPYRxuy31~z&!R4SXRaTWgR4G%@ngKgqBKbC`)EBVXVL!
z*3t?trcDQR2k3k@P}>EnCfC39xrSqXPjB_`oB<uW@;s4y<)}8s8&j`^h@mHrXNupl
z9r>dl`@r~dkV4>k_|7=2B$!>cKivYk=4(AoJ+Js(RUu2!wg0>h(<N<Hom@8R-aLnK
bTysW^Ii0nKAI9g^u2W5}eCe?5(dCQ*17VL2

delta 329
zcmV-P0k;0^0_*~iEPruEH#l%}Mq@KbNl<2RV{d0!NH}Xmctuk}FJoq8R7Y(wc4k>k
zO;veUMGA0MNM&_lGdM$TG)s7FGAm1Aa#Kufc}a9_M{sgzVM1(Tbx%)CVsJ`LO$se7
zEg(fsO-FWXWH2%_O;a&;b!=2uSXz2{LwRjAQ&?elVRTkCZGT2pVNrNwX+a9%dO$_%
z6n>XSt-V5l`w<E09nQ6I)G{xqxl7l^HpyxuZ#L&(SAWbNZzZ|DS^8TKN`_wA>y^Hu
z2rOfq<%=%)qkx*Se)5P(GvVLYz*&h>F6?;R6P1LbwZh*Rx&x*4o4Z?=$a5P7)24P_
zuC6I2V*YZ8m_moOB{h7Xm^WX_j{p$1NHw{n%PC!P8icW8Wlst9+@Eb0N!c-lng_;s
b$$#%U4x5Q<A?%4%(JDiZtTz53-}0gpfgp{(

diff --git a/secrets/consul.d/agent-token-thingvellir.json.age b/secrets/consul.d/agent-token-thingvellir.json.age
index c736977d3773b511ccd6eeaa8ac22e17c8266ffb..1a94b60ca2a1f76c6895d662f5db3a4fb22cdd8a 100644
GIT binary patch
delta 440
zcmV;p0Z0DY1KI<SEPpX=Z!2#wY<hEWaW-dbVo+jaZB%tLYcgnbGHGluOEG9TQFd;4
zb~H|FGzx2XLpeA^Gb=%HPdPSaNl9ohL}E`lQbad$H!yiiWG_l^T6uAGc4c{aI0`L3
zAaiqQEoEdfH8n9gAZt!)X--ifcuj9HSy^>TG*eYUb!0Vbcz;4QZ%%J_PginBPC`+0
zaCU4@a5y(wFK<ya3Q>A9MOa8zG%$BDb9PQ{YdA}2Oj&X^O-g!5S4K*BOgL3RL`73D
zY*lkO3N0-yAa6xbYjjdIQ)FguS21rdOG!a7M=(n^FiL51V{S$=FflS=FhN#zNpVeM
z3b7>n9Ox5rmwzdiz?L<I;2T2_{fg;2{VV#tocLUY5#33=7&{!>=amv~wM>g)y}PNM
z;dmn>_#P?+G<6@mu0Gn9gUHF<%x<ofE&)Nmz{Af$8E&a6pKf_jttZ6w{V0)b{5L@G
zd;ds9EVlmh3c-Zr3yqIXE<dtvI{?=m*<h;xalZVRLNQ&!V}Q^g@Tict%lZ?Tk(wdR
i)PG6*fSVDS7ry$8Qa_}$=b7P2xRHzAaUqC3815Q-+_4n^

delta 440
zcmV;p0Z0DY1KI<SEPri7QDQ|@QcP7$O*AiNH!x0BOGtKZIcZZwWM*znF<~)KL{djq
zZc{mVa|%OFMq+4FL{4!tV^3{)a$_|%cQ-X!Ra#h3W>#lZGC4*yD`rM-P&G?!YYHts
zAaiqQEoEdfH8n9gAZt!)X--ifYEw!<Raj$3P+DnAc1&?$Vt+Y8LS|}1b5n9nF-B-v
zW@1ZcNM|@POgBY13V35;P)b!&GgNk2Fi>eia#=PqD^++^Wm+#}W>!peFm+UFGAn0k
zcXVq_3N0-yAaZX=H%2)|VlzT9Y-4s)X+&>LFJ&=yLv2P<VpVl;OGid4a8gxIH)myQ
z3e)43F$S=lsDJ3ESRxJMp@}J-kW0ennNyxn@NgS+xGRJS^z2G1?gl0x={z9qnj<MW
zfj2Lx9$oyCO|{?#Id}H1jd6_l|Jk`18J<NgvaC9*uNsv#FN$3^YGymW%;h#PzIrbm
zn-~as9!yzAvOb{M;PDGU1&OF!Ivya;7?^WUzJQvFu`#%spI4N~bg#(O*4D}DlA5T1
iSF`e=^=Pz9uK_7C6<Ebq*_;;iALt7;?Q_r2e>7z((yQJ8

diff --git a/secrets/consul.d/consul-agent-ca-key.pem.age b/secrets/consul.d/consul-agent-ca-key.pem.age
new file mode 100644
index 0000000..de605f7
--- /dev/null
+++ b/secrets/consul.d/consul-agent-ca-key.pem.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 GWuf0Q MD7uGzKIk90mRQJVI/HKk9MMbI3HwkwwKEoLc/R8qyQ
+m2K5DUI+O+ufDWl1faCwR+9nA8vxAQW5pptwgEhzMJI
+--- JkkPxFdtVCa3MQqLCpJ7GBajuyQAyHjwr6fbCV81qdA
+6Jèü‚J´Ïå7DÔYb¥@—¨3z´9WnÅC‰R4Hò-´ÄÒš	{Fo -ºZ£J
+J¡âšDaœ´Ž~‘ßÊDLy¡\rºE¯GAÀ‘œ„bªfj`£!Sfi+÷w4‘†£f¨•Aâçç1y‚ìè¸ûÚe»2`¢öL>Â%ƒé€'oóÞÂ"'é”hÔµä;3Z‰å§‘H•ëìPaÐó@´×ÎŠO¶0[¸¯¢ŠVIî‘|5þºcƒåÖSªÈ—ßó#Ú3U2|,+Z«2BºaªX*—Þ0Ÿ q¬¢R‚g¨ðl£ÏãûP‡z†5„D*#È×m¿
\ No newline at end of file
diff --git a/secrets/consul.d/consul-agent-ca.pem.age b/secrets/consul.d/consul-agent-ca.pem.age
index fcb06a49286c223d9ac1f762eb513e656b969340..fffbeeff469676d8f2cc2a676c2ad32be8f43edd 100644
GIT binary patch
delta 1464
zcmV;p1xNbk3+4-uEPrTEWNJuxQd&uQF-dM?S~7KWYBVc1aWP6cWN}ANX;@1{P**Qm
zW>POONeV_QPEBq}VM$9^XHa)AL`QRIbumLUNlq&-ZfbB^M0aFwI74t$dR8|yQ3@?S
zAaiqQEoEdfH8n9gAbMz4M@V-dLpXF-N@OomZ)RmkFLpOVL`E}ES8hRMS4MegY-~k$
zPj@&pSxHTGZ#P133PgHHb2d^nZB%bqSWr()XICqEb5T`iI9Et|W>I%}R5(OVcu#ap
zYAaB4k?|LQaxYd<NOfUOX)<y|G&XKhLvCnfY&T<AYFBA_bai$sS!Qr&Gix?#Gcj2T
zb~i&&RZ4F`G;T$APfJloF*!LkWK?o9Ol4~_PHImyP&q+nNkVE$Q7b_TEiEk|QFAeH
zZe(mTN?0>YMOQOZLvJ;Dbt^AfIZ#0{QZa2SW@1)<LU}f5H*imH3bLQus4-D;U@5ff
zY;LK%96Qk)hCHJ^+cHK;5#Eso+z^56d%IIr-aLb$C2x-In~RntyCv;9)C$%rKsqUL
z(<YyIxDlR7_P}B(478I_ZCWSk1Ubeeg_zE1N$R5|bh(hjEVYngVp>|UNs(FKBcW~S
zUK@&k;-N0>S4jC0e}Nh{rH~T@9?aeBjm$&WUgRnB-d}CaYufaoDbvGZwuwNx&{nve
zShsg<S}Mdxyf{6v-(Pt@6MZjKk;B`MDGgNvZ0Fe=*J;khDVX|ERfrx@#JQ?*-b!(n
zFUZJK?J$cG1V2DN0CI^Ti%fM6y3>go7OMDvilBToNyK{$EAW`^zYw3iZd$BtPea+P
zZk{p(m-SiVXJ&mbgk$e(FrTyYP3p<V#r{*?JA!>5xg>92fpPgWnu9J6dJfL^V{Nc%
zX-VhCnY@_!+gLxX43o&<WLQt*qf>WK=)1<KOjtf0w%uTsdEBPs^&z!k1>_;$iv=Qo
zxc+hW!vs6=VnuWfy)Dx{P?wry2w$MgvR;qRr-p;&UP$XC(3cC(XsL-2ZVx$cj=Fy_
zOFYlZQIS+zw{$%;acJ1mZfUdM`TM$Z0Qh8HYfFl(+L%h)Ic2ow6-{yiU$4o$w?Gk%
z1P`j%{6<D7Os9*fE4)|4s2F4hV@&LSCdatJ3|U`3wiIoQ7k{&Yrwcy0!g&zP*fo~z
zv??nD%g$DQed+cpZK_K_X5&3-g8dp4W8GEtsi>gt3?&-=J~U4jDdN@cgdCR$ax4rL
z*gY(}A7U_$=qEXh7Vdsv+gzPUTQb{NIB+iW08L4aOzD>*q0@j8qqIDGtNwU@SX6-O
zvPpVhq|;A8ae`=MvgmQgbABYaOF;b^Q7OgMzOVq#Y?J1#?{%oqs{=eoWmiDkM(}Pr
zsYU11*hzy|D#-*#4Z9)ONCmPDv)1lVm@=J>kF9QR8fVsAGYQ=~dgsvs8r7vCTaTBa
zXklu`Sp>`RK4&LS!r0ISN2Mlz;^{3u=CypC<7@_x#|4R-!^@5{t!Z~~uu3tz6a`*_
zUbO7QaKJGJ{Csh$-um!7ON-^SfA&@Z{QWQniWim%U6~_f@TEn>?J#<w)IEijrd?H<
zIHqh+Ns5}>=_zj&TC|;}6-&<~maP)@(3#MUc<^jEa5_re$^rTD7)33Ah?;qRdIUfY
zwpu4tL<BBqXUq$waZ~qH^k^kz_BV!2y*E(o<$Xm&C#5{-!jNbtKS|IEodmnHSu^T%
ze;_vHu(QxT*?@De;md&lR_osZ-2~s!5`Y6xCq>#4j8p4T4Tcl$Bvik);AlFByUULt
zhgm1wzF<m^X48yiQJ=JD#TGmG5Y%fwJWF!O<pt{ii*~k|Imi8PRpr?UgPghF1(+(s
zHUs)qXhM~`8Zxun&_pu&@liL=J+%gguP8PUb+E$qJWrC~8Z65!rYD{0S{9O}#{J*f
Si)%QiHiF4e`2cys_bfLsTa%0c

delta 1464
zcmV;p1xNbk3+4-uEPqcqcWp>Wb!#^(H84R-XL&?7L`6tfH%?SiN=HFxbwO1@b#8S*
zbxwIlGzv##dNDyrNl#)qXDe|pHc(JVOEyt!P)JH?GEHz!Gb>VTXL&btT5xDMYYHts
zAaiqQEoEdfH8n9gAbMz4M@V-dbvROSZcH^dF;{C+Z*FQ#Ge%l!a5h<ZX>T)HO-6P_
zQffI%Q8O`EXJ|w?3PWRdSa)T4W^gq&Fi|U2PflS-FitjNHF`lcL{v{pZ%->#Vp2m(
zZg@9mk?|LQa7lSJczHEzGGjM+Wo>j;b22%3M_6uUY*tBkGFoI-T5fV`Vlz=zOH+3W
zGDuBRPfcq=Ye7&@b5?mXWL8&HL~B|^RYgHGHbQnYc4$gvGk0cmD{XfQEiEk|Yh`a(
zRa91MWluw9K}b(zXmCY1I8s+Na#=SvGi*~ybxvb{K{RksSvhK13aZPNc6sfHVfThc
zv~QPt9)s@@bl*b6j+<m-UB<zLKu}#6n9%$wV~mWJ6aerQTOsb=Y?e^M1zEZfuh18Q
zh!UtO{bfHxHvY|y+n?p&*V`D$8s9;$?6+Sr8VF1Ou_;(P=g60+>iKIdaW{9!rd~_V
z-fvfbt<+jM0BL7Af)2QDt|7-TPJ%*M$fQN=h;MdiZnq1JU|9Yjza>rwB~}KKvKfj7
zknk1@v_bh2;*J$y`u)wzWu5P=R&t+2dk0cOmT?7OZY@3?qvZk&(EKqqV`MY){%oBo
z=mNGb&CGw{%9HxK<Zxq6vH82WqMB;p4v_bMDl1>=8}apdIZjZCsoE&+qJjDli*@Yx
zNR1m^N7@tf82P9q%opS@DT<XLIkk>>xqtRCe)%xxawR!0V<CC!7kFY55UoCbf~{q7
z1GLiF$5{woy+QKp`u?{-@3uU$-z~&ICI8*yI)f7aoxK46d7Ahk4FVXM?*t*qcJBLs
z2Ck+ih_%M%+L%bxSM2f$S4%6|XX;+2c3oNYTsQvzjP7z@bh0Jp0bfnq41&Bs5U_HP
zc}$u1lP?E>=nUY_WD()I{a{~>08_Wvv*5+mx#~4g`?ri>0Fdujcu(f=_)#0TV90er
zsf^)n8*UoSUOM;PyYAj<sx^sWjjOePY|xFA#xs<)EAP54uD_F@39zj{c(bz$WWF$W
zX)!u3qVaoYsrilWIOmYu*BATi4?!TccUUAb)eow2W;)P$XZps%>k@J@Mc7yK8`oV8
zpZr2PHzutzGWx7o#T^ks2f<l3;aq7xDL1if_W4}+Gw(pB&Gh0oKqz6c%@eSH6k@5p
z{i;n(K%O$D%fMnMV<-_5G}*JJ0p5bSFY3+abY@`vN}V+m#ERC<+OY{S&T0c3p+VN3
zy~4>_k49bZP`cTwgWDd$|K)`#G2s{0I97L&fFK~Opk(|#Hrt#(xV=acIK6W8jz@Ev
zNnd+t3G&KQgv)u-1^}oWKBG~88QgclHrf(6L*`ol$-puvuhYf3hKoZvaZ^cF#GH&1
zVa7z{S*s8*pKtpYI3&IB$LI+Kl`D6?C$(z=9EFK@s2FHcPdaJG?pu7CJ4qf9P+B(A
zHqd((L}^39a7F`uooIP0I2Cm8pyM}b_zXWQAZ%=+)Mn<93Lji*M!-aWx!cYbnPCfB
zt9-stl3~2AZTZ|0_PGB8MLyx-l?b2e;4-YEci|nPL_qtyB@{*~GDrOonJi%s*uJV)
zmE;2OZvw~EZzEArTwc04vh+b2n$rOUX~a#wEFI|qF$^an?^2yTQ1D{7Mkx4KJu+og
z(mCO$ZW|vB1Pi0R*5M&%nF+1Kev-~*=iLW7Qe+m@x(o@~pi<XhHRfBEt|de^zfGH7
z4M$EU_JQWw;vvZq>U0QCDyKze6tg-k`CQHbTj|R!E~n=!tw-76<$2N+F&pqzQmG<Q
S={Ss*m<V{U>`+1(YsY-43YUQZ

diff --git a/secrets/consul.d/gossip.json.age b/secrets/consul.d/gossip.json.age
index 97d6681f4a022c0e54a2a0196e21f536b3e2e1f8..f57e3dcfbe5e7a7bac162a146f778975fc484ddc 100644
GIT binary patch
delta 444
zcmV;t0Ym=s1M&lqEPp{yXIf%XNN93WFhO!^ICO4oXm58gWppq}Qa5ifZ%%naIA}Rg
zSTtrrSqf28ODjTRFE(Q<WifYCOe;|{LPvISMOR`*Z%;unHg-j4M@)8lPESizYYHts
zAaiqQEoEdfH8n9gAbMz4M@V-dH&0=DFfT}1VKrAyZAoobH%3o%RC6y(Pi8YsMtNsb
zRZ3@OZ)syfPE%A>3Rp-_cUXB+M>9@!dTV-GG<Z}nGC4|cGI?@1HDY;2G-pdgOGh$s
zW=vE?k?|LQSaMHUYh+DRRyBD|G&6BEXn99<cx5kTQbl8FFGe?cS42ryX+cUaF?Ur8
zHZNjBaC1mbcW^IaLRWH1VsvpfX=r0FS!^;=aZ^=mOL=K9Nm*l9MrUIREiEk|az{gB
zaz<2lHez&EVR|xkMox4%ae7!xSZsA`PE2JuMo2?zWmqdROEhg~3i)QKR@0+3U8k7G
z$z?~sQC>=6v#&Q1nTN6rWm^C=3LI6O@&7}CSe<5?mlM*4795+8*!3DCJ`OnrpcYFY
m9PFo^zfEmVecCY@JzOLK6}M!qRf5hkBIoQS<g8gJa5o5n{+m(&

delta 444
zcmV~$JB!l*003a{oWc#d=;Dw`gcy^i$tB^SkjEuW+B|Ju-EvJYucoa@(@T2dd6Oat
zDu}}ga)=yAe}Id)2si0^gQp<6-5_=l#KrGht*zFc+}u}k8dqlhB=1-Gh#{p(T=Pa&
zPAM;Dx}tn1+d&yz?pdle0qUj)xxTB{V#t`Nk5dIIb>>VNYQb<zD$S`gC#U{EuAE%}
zZh=J+!NUL}hz1QVB3o?lf=a|kxEqNSp;)*~*_mMCNER8IF3=rA5C`=vZ=;;xdp!f7
z1)?2xXO&Lvuw-g@iCHDWcp`Q;p!U><5XfL+ww6mhM4$e?y3dVeEa9<WyN)Xp%~-u`
z^b@zK6iC8XscsZ#Q^PP!S5XU4(gCN^njH-Si7<yYV<M#kZM)4>RasUyNl!xgI#lz9
z1i&y1b{0-yA$~6-<Fb=+v`+XV8jbTY3DtA?Hn-8o(?k#GauG?ufjK&t&Yk1EmUL>5
z?*BS2{U1NSZASbneEq$A>&@Af=bOt9*5?QF*Y_^Aw!S3Z`rgOMwUd9#OMgGP-;chI
km-dY_%YSzI?)uBi7aoI$TKwn5+k;1kI3%5{?jAk-4>OgZ`2YX_

diff --git a/secrets/consul.d/samfelag-server-thingvellir-key.pem.age b/secrets/consul.d/samfelag-server-thingvellir-key.pem.age
new file mode 100644
index 0000000..d090129
--- /dev/null
+++ b/secrets/consul.d/samfelag-server-thingvellir-key.pem.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 GWuf0Q rk/mFir7HPBGZQnjEXkkC1W4dYIykg4nyZO5Bre1X1w
+mSlOb7R0yGvN7tZpn7IJ1u+bdFmkq6aV49CiqsQVgb0
+-> ssh-ed25519 kNjiNQ ceVCk3ZC2MK51rz3sHH18mhehYwoBjexqGpx6VAtkRk
+vpTWwICA+aXfJPWY0Q0w14QgF9iy01aWgb7LJJcUiwc
+--- GePxJgGNDXcySj0cGXLsbdPDC6BuH5kynzaIkKpDCVw
+ô-3À‡\«²aQ¼úJPÿe^ˆyfâÓ“»kI$E®kPƒÝ®{Ž…™4{Ÿ¬ŠH»•(}½UÜ:gõneT°¥v8Ú|È„	½áîiÞr•@,1rMn!e”-‹žv +¼(æAÚ¸mÔú;µßé¤9:y$¦[»	×Õ({jDlß1iR„~6aó=„/cÕH’‚8ýQa.EX½W‹•r©ß¨ÙLS“c4Œž¶#¹="%TÓ(±Â‡±Ö„»ŸCH5qY¢=jvÎ­)%Eö¦orÕÑ›yø<ö}DÂß´Ï1[×ŽluyN'4åæLõóOA?àha´
\ No newline at end of file
diff --git a/secrets/consul.d/samfelag-server-thingvellir.pem.age b/secrets/consul.d/samfelag-server-thingvellir.pem.age
new file mode 100644
index 0000000000000000000000000000000000000000..0fed76992db043bc73facf0b782224100ccf885b
GIT binary patch
literal 1302
zcmV+x1?l=>XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LM^|-bFi{{v
zb#6muayMpqNpe9$S8!-eR!MR}GEYoNdQE3gLt<i1MKEzeGEz@AMnwulLR4c@IYn(p
zHd-@JaBw+7cvLWYFm+W~aBVhEPH9SESx0bZWMfKKZf6QDJ|J^*Xf0)AGBq_ZIUs9J
zYH3bUAaY?!a%VPLP*izEa7IaZa5qdeP+>4-FjZApPgY|}R5(UqVOKduR$^#T3Uqfg
zY*jC2YDz0%S~fOAWpqU=ZFEaxNjWiAMl^3ja&u})HAZt-Lr_jx3N0-yAWunJD??C2
zICNJ_WH4zkQ(7=iY-M(DFE(0LRZTc6c4Km7Q%h)4YHDds3aoCEu2B4q)Bzl2z({cg
zi^4{~a+DW*hBPMt{DquP(yr@-(*gAOzEDJ6CN*86^J>@a3}<j8Tfg3ip))$Sw}1xQ
z?sMM&JK?7uzId7>;PMlDt-Dv>9EL;Dh^YeQziB>2J^UsfY}|S6XdA_hrFw;&NN%p>
z^{Skf?*w7^0E0(EF$%WqM$3l%&{1^{IF0X!u59OYnrD-a13!hAeg$=N6%KyUw^Zrs
z7uH2XR!Z0NOWaz@+rj3;_FOpR8(-{2pgWCaU`BA}^q+7sZX|Ktlj_S9r0ip8J=&{M
zN;Hvz>9X|OAM_OZsqeDrnJ>NJ$e4%6k?mt*k)^sZ`P3dP_D4kjVYm}q3)~p29*Z8r
zIx;wei=W36H#pMq7K6!vEVQ8Wbv#zZ^wERcj$6pp+%u}9n#{9vB;>l8heh<>2r6B$
zA;R^2l>(+EB0+;qim-Pw1T^T+GVp^`x!!xmIyB%8KP&BqYD=XE<v~h_I4XZl31qt(
zaoqP((3chB)NdGsp<LC$GNr)Ax{K}LL(JHhC%W^rW13#NLg-EcL|lrB^&aGgw65D^
zAxSIBxXqV65iubi^<62dN+}jYij@J1;+h8#tKc%j)P@b=9lrboivZwFy>6;PS7V$>
zFffk1wcq~=KVFrqyJ&X9sEcT{SgxWP(Q4Fz)cmQiv!T&aN81Z4o>*vP_(JTbj-TR7
zMZnK0&Vr&Ebv@NI1it){EYFrZDdAu$iZ!txg6;5!=1Q*#U2j$RIT5hzj2#0-m~JB%
zwa5Zlol#oCB?uucB0=GhcCANy!$9uM7d2f&++C}aj5VIRupL2;mWpR~^0{|d91^LY
zEr_!5C%Ax8Gc!doO-j#zg(EY761LyAWSuamP{f;+fTPqH`zGcM2B-k;51Mt>eMt29
zJ{HUZ#kbRR5hF|&VBeq74HEEI{~P)zgP^r}!@GS9jau0$^@69p@OtnjJ6pEFpU2pi
zG20RBeAP@%sO~{z>z<CMTKBiH-E+V#&e1bazlbze57GRQ*UFBxtmo3bQV*&D=8k%%
ze*Zs6WLd`$(l<ZNL-QtorRunZ1tAf|tV$C${pObaoBOR%)VRT1L&Iwk+1U<8l3(=a
z??$)7h6Noy@JgEQA7YBPh7OPAKgr;{%INkyJV4i0toxG5glt^6U2h9K8f?lBKBrDd
za+M6H4j%&3>u||F6m=UY+*izjFWL(Zvpy_!^g@qoC=s{~^^MW)%z)b@RwR&wN$#hl
zsuDqlY12~S?+qw;m{5qBI5xZfkpW}Dmu@U^RG#PDdj~&(;0XwIAHGa@^^76--HseJ
Mp{~Rikkq-pt+7j9KL7v#

literal 0
HcmV?d00001

diff --git a/secrets/nomad.d/consul-token.json.age b/secrets/nomad.d/consul-token.json.age
index e7d123a..21adaa9 100644
--- a/secrets/nomad.d/consul-token.json.age
+++ b/secrets/nomad.d/consul-token.json.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 GWuf0Q xVuLRTTmTLzFJKyh9RIdq0ZEgoIc6lQs4TlQ9ypb6As
-TtblfYeBV1RpE8717ShUFh2wLmM5K5PviOVr0EyG4Qk
--> ssh-ed25519 zhVGHw hD2BDVwJMT1nQKvqFU04ih71pFhweIXK9+gk5KzbfGY
-KmyxI4yLdlnbvAbENN9bLHFNpB8Hz6EVCLeQNsaHEho
--> ssh-ed25519 kNjiNQ 0WpE6n5Cu0F/r0LOpWV8DKtx90xssu6rA706/D0I+Q0
-nCSLiH6A5jsne2Z4tLq05EA3FDYThPvavJqtn4LfO5I
---- qtwiXJDiyOdy3XRMZLdwEWdDkpHVn+COhqmHR86cDJM
-ž3…ô0Üàâl½¹Çë’ëÞ¨UÈ»Ç’¥-B©²fuÇZ#.´ñµ^q¢™ÒåTyi8Ç=ÂÈð\ße'ðY„¤ôKÐ¯®É¸)g ´SvýÅ7ÇÔ[®Ì"&ó.H“éÝ·ÖÉþ8ôò]í	¨˜‚xµg_þßÐjÆ#BJ¬²gð+÷GCDÄÃØ.
\ No newline at end of file
+-> ssh-ed25519 GWuf0Q /wrzzNrN9a2vClZgXvEOVVbH2gYBbVZusrctTJBCOgs
+e1++RnaBdjxb4nFRfRyzWbF+WVOMXXdwxM+jFEmW2JA
+-> ssh-ed25519 zhVGHw 0j9Bpte/gSXNP4hvVGLFNVQe5U7gi74T0U6bh9MKyG4
+pePoX2imP6a9KE8jA0pTw9RgtQ+jCoo+Co9GZTmpY64
+-> ssh-ed25519 kNjiNQ WbUvxmW6MSYBUrpzVgabst/j4y9Jra/osVpPkmo6tHM
+2NpznkHXxCR+f9zQ6GXu7Za5QGucGH4Gd7dZneG/R5c
+--- ku5kAmF+qTUAlyzlEX4ANNd+g86+dJ33R50umNUma3A
+‡š`ÔlMq-:UáéŸe+ëÈëúß„•ÂYBÖ¨úp&0›¯ºcëjÃm²O˜«ò©í
+?¥“—ßÕ|…ãè%	ïcyi(	Ö,V{ƒDÁ7â4Z:¾ÔSKÅ«rèôÖê»I%{ÂwýÉa}~ÜWoé¾3d?¾d?—÷,ÈµOi…
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index f059f09..8859936 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -19,6 +19,12 @@ in
   # -- Consul -------------------------------
   "consul.d/gossip.json.age".publicKeys = samfelag-hosts;
   "consul.d/consul-agent-ca.pem.age".publicKeys = samfelag-hosts;
+  "consul.d/consul-agent-ca-key.pem.age".publicKeys = reykjavik;
+
+  # Server certificates
+  "consul.d/samfelag-server-thingvellir-key.pem.age".publicKeys = thingvellir;
+  "consul.d/samfelag-server-thingvellir.pem.age".publicKeys = thingvellir;
+
   # Agent tokens
   "consul.d/agent-token-reykjavik.json.age".publicKeys = reykjavik;
   "consul.d/agent-token-thingvellir.json.age".publicKeys = thingvellir;