Added consul server config

2024-02-13 00:07:13 +01:00
parent ae58914cc2
commit a09aedab3f
17 changed files with 112 additions and 44 deletions
--- a/config/consul.d/server.json
+++ b/config/consul.d/server.json
@@ -9,8 +9,8 @@
      "verify_incoming": true,
      "verify_outgoing": true,
      "ca_file": "/etc/consul.d/certs/consul-agent-ca.pem",
-      "cert_file": "/etc/consul.d/certs/samfelag-server-consul-0.pem",
+      "cert_file": "/etc/consul.d/certs/samfelag-server-consul.pem",
-      "key_file": "/etc/consul.d/certs/samfelag-server-consul-0-key.pem"
+      "key_file": "/etc/consul.d/certs/samfelag-server-consul-key.pem"
    },
    "internal_rpc": {
      "verify_server_hostname": true
--- a/docs/consul.org
+++ b/docs/consul.org
@@ -1,4 +1,16 @@
 #+title: Consul
 * Server setup
 ** Create a server keypair
 Decrypt the CA (from the agenix secrets)
 #+begin_src bash
 agenix -i ~/.ssh/id_reykjavik -d consul.d/consul-agent-ca.pem.age > ~/tmp/consul-agent-ca.pem
 agenix -i ~/.ssh/id_reykjavik -d consul.d/consul-agent-ca-key.pem.age > ~/tmp/consul-agent-ca-key.pem
 #+end_src
 Create the keypair using consul:
 #+begin_src bash
 nix-shell -p consul
 consul tls cert create -server -dc samfelag
 #+end_src
 * ACLs
 ** Policies
 *** Node Policy
--- a/hosts/reykjavik/secrets.nix
+++ b/hosts/reykjavik/secrets.nix
@@ -2,29 +2,11 @@
 {
  age.secrets = {
    # Consul -------------------------------
    "consul.d/gossip.json" = {
      file = ../../secrets/consul.d/gossip.json.age;
      owner = "consul";
      group = "consul";
      mode = "644";
    };
    "consul.d/consul-agent-ca.pem" = {
      file = ../../secrets/consul.d/consul-agent-ca.pem.age;
      owner = "consul";
      group = "consul";
      mode = "644";
    };
    "consul.d/agent-token-reykjavik.json" = {
      file = ../../secrets/consul.d/agent-token-reykjavik.json.age;
      owner = "consul";
      group = "consul";
      mode = "644";
    };
    # Nomad -------------------------------
    "nomad.d/consul-token.json" = {
      file = ../../secrets/nomad.d/consul-token.json.age;
      mode = "644";
    };
  };
 }
--- a/hosts/thingvellir/default.nix
+++ b/hosts/thingvellir/default.nix
@@ -45,7 +45,10 @@ with lib;
    # - Server ----------------------------------
    server.consul = {
      enable = true;
      server = true;
      agent-token = config.age.secrets."consul.d/agent-token-thingvellir.json".path;
      server-cert = config.age.secrets."consul.d/consul-server-thingvellir.pem".path;
      server-cert-key = config.age.secrets."consul.d/consul-server-thingvellir-key.pem".path;
    };
    server.nomad = {
      enable = true;
--- a/hosts/thingvellir/hardware.nix
+++ b/hosts/thingvellir/hardware.nix
@@ -17,6 +17,12 @@
      device = "/dev/disk/by-label/nixos";
      fsType = "ext4";
    };
    "/mnt/vatnajokull" = {
      device = "vatnajokull:/mnt/raid1";
      fsType = "nfs";
      options = [ "x-systemd.automount" "noauto" "noatime" "x-systemd.idle-timeout=600"];
    };
  };
  swapDevices = [
--- a/hosts/thingvellir/secrets.nix
+++ b/hosts/thingvellir/secrets.nix
@@ -2,29 +2,23 @@
 {
  age.secrets = {
    # Consul -------------------------------
    "consul.d/gossip.json" = {
      file = ../../secrets/consul.d/gossip.json.age;
      owner = "consul";
      group = "consul";
      mode = "644";
    };
    "consul.d/consul-agent-ca.pem" = {
      file = ../../secrets/consul.d/consul-agent-ca.pem.age;
      owner = "consul";
      group = "consul";
      mode = "644";
    };
    "consul.d/agent-token-thingvellir.json" = {
      file = ../../secrets/consul.d/agent-token-thingvellir.json.age;
      owner = "consul";
      group = "consul";
      mode = "644";
    };
-    # Nomad -------------------------------
+    "consul.d/consul-server-thingvellir.pem" = {
-    "nomad.d/consul-token.json" = {
+      file = ../../secrets/consul.d/consul-server-thingvellir.pem.age;
-      file = ../../secrets/nomad.d/consul-token.json.age;
+      owner = "consul";
      group = "consul";
      mode = "644";
    };
    "consul.d/consul-server-thingvellir-key.pem" = {
      file = ../../secrets/consul.d/consul-server-thingvellir-key.pem.age;
      owner = "consul";
      group = "consul";
      mode = "600";
    };
  };
 }
--- a/modules/server/consul.nix
+++ b/modules/server/consul.nix
@@ -19,6 +19,16 @@ in
      description = "Agent token config file (should be secret)";
    };
    server-cert = lib.mkOption {
      type = lib.types.str;
      description = "Server certificate (should be secret)";
    };
    server-cert-key = lib.mkOption {
      type = lib.types.str;
      description = "Server certificate key (should be secret)";
    };
  };
  config = lib.mkIf cfg.enable {
    services.consul = {
@@ -30,6 +40,8 @@ in
      };
    };
    # --- Config files ---------------------------------
    environment.etc = {
      consul-agent-ca = {
        # Consul agent CA
@@ -62,6 +74,16 @@ in
        target = "consul.d/server.json";
        source = ../../config/consul.d/server.json;
      };
      consul-server-cert = {
        # Consul Server Certificate
        target = "consul.d/certs/samfelag-server-consul.pem";
        source = cfg.server-cert;
      };
      consul-server-cert-key = {
        # Consul Server Certificate Key
        target = "consul.d/certs/samfelag-server-consul-key.pem";
        source = cfg.server-cert-key;
      };
    } else {
      consul-client-cfg = {
        # Client config
@@ -70,6 +92,23 @@ in
      };
    });
    # --- Secrets ---------------------------------
    age.secrets = {
      "consul.d/gossip.json" = {
        file = ../../secrets/consul.d/gossip.json.age;
        owner = "consul";
        group = "consul";
        mode = "644";
      };
      "consul.d/consul-agent-ca.pem" = {
        file = ../../secrets/consul.d/consul-agent-ca.pem.age;
        owner = "consul";
        group = "consul";
        mode = "644";
      };
    };
    # networking.firewall.allowedTCPPorts = [ 22 ];
  };
 }
--- a/modules/server/nomad.nix
+++ b/modules/server/nomad.nix
@@ -20,6 +20,9 @@ in
      enable = true;
      extraSettingsPaths = [ "/etc/nomad.d" ];
    };
    # --- Config files ---------------------------------
    environment.etc = {
      # Common configuration
      nomad-common-cfg = {
@@ -44,6 +47,15 @@ in
      };
    };
    # --- Secrets ---------------------------------
    age.secrets = {
      "nomad.d/consul-token.json" = {
        file = ../../secrets/nomad.d/consul-token.json.age;
        mode = "644";
      };
    };
    # networking.firewall.allowedTCPPorts = [ 22 ];
  };
 }
--- a/secrets/consul.d/agent-token-reykjavik.json.age
+++ b/secrets/consul.d/agent-token-reykjavik.json.age
--- a/secrets/consul.d/agent-token-thingvellir.json.age
+++ b/secrets/consul.d/agent-token-thingvellir.json.age
--- a/secrets/consul.d/consul-agent-ca-key.pem.age
+++ b/secrets/consul.d/consul-agent-ca-key.pem.age
@@ -0,0 +1,6 @@
 age-encryption.org/v1
 -> ssh-ed25519 GWuf0Q MD7uGzKIk90mRQJVI/HKk9MMbI3HwkwwKEoLc/R8qyQ
 m2K5DUI+O+ufDWl1faCwR+9nA8vxAQW5pptwgEhzMJI
 --- JkkPxFdtVCa3MQqLCpJ7GBajuyQAyHjwr6fbCV81qdA
 6Jèü‚J´Ïå7DÔYb¥@—¨3z´9WnÅC‰R4Hò-´ÄÒš	{Fo -ºZ£J
 J¡âšDaœ´Ž~‘ßÊDLy¡\rºE¯GAÀ‘œ„bªfj`£!Sfi+÷w4‘†£f¨•Aâ<>çç1y‚ìè¸ûÚe»2`¢öL>Â%ƒé€'oóÞÂ"'é”hÔµä;3Z‰å§‘H•ëìPaÐó@´×ÎŠO¶0[¸¯¢ŠVIî‘|5þºcƒåÖSªÈ—ßó#Ú3U2|,+Z«2BºaªX*—Þ0Ÿ q¬¢R‚g¨ðl£ÏãûP‡z†5„D*#È×m¿
--- a/secrets/consul.d/consul-agent-ca.pem.age
+++ b/secrets/consul.d/consul-agent-ca.pem.age
--- a/secrets/consul.d/gossip.json.age
+++ b/secrets/consul.d/gossip.json.age
--- a/secrets/consul.d/samfelag-server-thingvellir-key.pem.age
+++ b/secrets/consul.d/samfelag-server-thingvellir-key.pem.age
@@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 GWuf0Q rk/mFir7HPBGZQnjEXkkC1W4dYIykg4nyZO5Bre1X1w
 mSlOb7R0yGvN7tZpn7IJ1u+bdFmkq6aV49CiqsQVgb0
 -> ssh-ed25519 kNjiNQ ceVCk3ZC2MK51rz3sHH18mhehYwoBjexqGpx6VAtkRk
 vpTWwICA+aXfJPWY0Q0w14QgF9iy01aWgb7LJJcUiwc
 --- GePxJgGNDXcySj0cGXLsbdPDC6BuH5kynzaIkKpDCVw
 <EFBFBD>ô-3À‡\«²aQ¼úJPÿe^ˆyfâÓ“»kI$E®kPƒÝ®{Ž…™4{Ÿ¬ŠH»•(}½UÜ:gõneT°¥v8Ú|È„	½áîiÞr•@,1rMn!e”-‹žv +¼(æAÚ¸mÔú;µßé¤9:y$¦[»	×Õ({jDlß1iR„~6aó=„/cÕH’‚8ýQa.EX½W‹•r©<72>ß¨ÙLS“c4Œž¶#¹="%TÓ(±Â‡±Ö„»ŸCH5qY¢=jvÎ)%Eö<>¦orÕÑ›yø<ö}<7D>DÂß´Ï1[×ŽluyN'4<>åæLõóOA?àha´
--- a/secrets/consul.d/samfelag-server-thingvellir.pem.age
+++ b/secrets/consul.d/samfelag-server-thingvellir.pem.age
--- a/secrets/nomad.d/consul-token.json.age
+++ b/secrets/nomad.d/consul-token.json.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 GWuf0Q xVuLRTTmTLzFJKyh9RIdq0ZEgoIc6lQs4TlQ9ypb6As
+-> ssh-ed25519 GWuf0Q /wrzzNrN9a2vClZgXvEOVVbH2gYBbVZusrctTJBCOgs
-TtblfYeBV1RpE8717ShUFh2wLmM5K5PviOVr0EyG4Qk
+e1++RnaBdjxb4nFRfRyzWbF+WVOMXXdwxM+jFEmW2JA
-> ssh-ed25519 zhVGHw hD2BDVwJMT1nQKvqFU04ih71pFhweIXK9+gk5KzbfGY
+-> ssh-ed25519 zhVGHw 0j9Bpte/gSXNP4hvVGLFNVQe5U7gi74T0U6bh9MKyG4
-KmyxI4yLdlnbvAbENN9bLHFNpB8Hz6EVCLeQNsaHEho
+pePoX2imP6a9KE8jA0pTw9RgtQ+jCoo+Co9GZTmpY64
-> ssh-ed25519 kNjiNQ 0WpE6n5Cu0F/r0LOpWV8DKtx90xssu6rA706/D0I+Q0
+-> ssh-ed25519 kNjiNQ WbUvxmW6MSYBUrpzVgabst/j4y9Jra/osVpPkmo6tHM
-nCSLiH6A5jsne2Z4tLq05EA3FDYThPvavJqtn4LfO5I
+2NpznkHXxCR+f9zQ6GXu7Za5QGucGH4Gd7dZneG/R5c
--- qtwiXJDiyOdy3XRMZLdwEWdDkpHVn+COhqmHR86cDJM
+--- ku5kAmF+qTUAlyzlEX4ANNd+g86+dJ33R50umNUma3A
-ž3…ô<EFBFBD>0Üàâl½¹Çë’ëÞ¨UÈ»Ç’¥-B<>©²fuÇZ#.´ñµ^q¢™<C2A2>ÒåTyi8Ç=ÂÈð\ße'ðY„¤ôKÐ¯®É¸)g ´<1E>SvýÅ7ÇÔ[®Ì"&ó.H“éÝ·ÖÉþ8ôò]í	¨˜‚xµg_þßÐjÆ
+‡š`ÔlMq-:UáéŸe+ëÈëúß„•ÂY<>BÖ¨úp&0›¯ºcëjÃm²O˜«ò©í
 ?
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -19,6 +19,12 @@ in
  # -- Consul -------------------------------
  "consul.d/gossip.json.age".publicKeys = samfelag-hosts;
  "consul.d/consul-agent-ca.pem.age".publicKeys = samfelag-hosts;
  "consul.d/consul-agent-ca-key.pem.age".publicKeys = reykjavik;
  # Server certificates
  "consul.d/samfelag-server-thingvellir-key.pem.age".publicKeys = thingvellir;
  "consul.d/samfelag-server-thingvellir.pem.age".publicKeys = thingvellir;
  # Agent tokens
  "consul.d/agent-token-reykjavik.json.age".publicKeys = reykjavik;
  "consul.d/agent-token-thingvellir.json.age".publicKeys = thingvellir;