Added consul server config

2024-02-13 00:07:13 +01:00
parent ae58914cc2
commit a09aedab3f
17 changed files with 112 additions and 44 deletions
--- a/modules/server/consul.nix
+++ b/modules/server/consul.nix
@@ -19,6 +19,16 @@ in
      description = "Agent token config file (should be secret)";
    };

+    server-cert = lib.mkOption {
+      type = lib.types.str;
+      description = "Server certificate (should be secret)";
+    };
+
+    server-cert-key = lib.mkOption {
+      type = lib.types.str;
+      description = "Server certificate key (should be secret)";
+    };
+
  };
  config = lib.mkIf cfg.enable {
    services.consul = {
@@ -30,6 +40,8 @@ in
      };
    };

+    # --- Config files ---------------------------------
+
    environment.etc = {
      consul-agent-ca = {
        # Consul agent CA
@@ -62,6 +74,16 @@ in
        target = "consul.d/server.json";
        source = ../../config/consul.d/server.json;
      };
+      consul-server-cert = {
+        # Consul Server Certificate
+        target = "consul.d/certs/samfelag-server-consul.pem";
+        source = cfg.server-cert;
+      };
+      consul-server-cert-key = {
+        # Consul Server Certificate Key
+        target = "consul.d/certs/samfelag-server-consul-key.pem";
+        source = cfg.server-cert-key;
+      };
    } else {
      consul-client-cfg = {
        # Client config
@@ -70,6 +92,23 @@ in
      };
    });

+    # --- Secrets ---------------------------------
+
+    age.secrets = {
+      "consul.d/gossip.json" = {
+        file = ../../secrets/consul.d/gossip.json.age;
+        owner = "consul";
+        group = "consul";
+        mode = "644";
+      };
+      "consul.d/consul-agent-ca.pem" = {
+        file = ../../secrets/consul.d/consul-agent-ca.pem.age;
+        owner = "consul";
+        group = "consul";
+        mode = "644";
+      };
+    };
+
    # networking.firewall.allowedTCPPorts = [ 22 ];
  };
 }
--- a/modules/server/nomad.nix
+++ b/modules/server/nomad.nix
@@ -20,6 +20,9 @@ in
      enable = true;
      extraSettingsPaths = [ "/etc/nomad.d" ];
    };
+
+    # --- Config files ---------------------------------
+
    environment.etc = {
      # Common configuration
      nomad-common-cfg = {
@@ -44,6 +47,15 @@ in
      };
    };

+    # --- Secrets ---------------------------------
+
+    age.secrets = {
+      "nomad.d/consul-token.json" = {
+        file = ../../secrets/nomad.d/consul-token.json.age;
+        mode = "644";
+      };
+    };
+
    # networking.firewall.allowedTCPPorts = [ 22 ];
  };
 }