From e716f7cb7d35801e658fe3306ff99c1c0526fac7 Mon Sep 17 00:00:00 2001
From: marc <marc@sastre.cat>
Date: Sun, 11 Feb 2024 20:58:26 +0100
Subject: [PATCH] Added server options for nomad and consul

---
 config/consul.d/client.json           | 26 --------------
 config/consul.d/common.json           | 26 ++++++++++++++
 config/consul.d/server-list.json      |  5 +++
 config/consul.d/server.json           | 22 ++++++++++++
 config/nomad.d/client.json            | 10 ++++++
 config/nomad.d/common.json            |  9 +++++
 config/nomad.d/host-reykjavik.json    | 10 ++++++
 config/nomad.d/server.json            |  6 ++++
 hosts/reykjavik/default.nix           | 13 ++++---
 modules/secrets.nix                   | 15 +++++++-
 modules/server/consul.nix             | 44 +++++++++++++++++++-----
 modules/server/nomad.nix              | 49 +++++++++++++++++++++++++++
 secrets/nomad.d/consul-token.json.age |  5 +++
 secrets/secrets.nix                   |  3 ++
 14 files changed, 204 insertions(+), 39 deletions(-)
 create mode 100644 config/consul.d/common.json
 create mode 100644 config/consul.d/server-list.json
 create mode 100644 config/consul.d/server.json
 create mode 100644 config/nomad.d/client.json
 create mode 100644 config/nomad.d/common.json
 create mode 100644 config/nomad.d/host-reykjavik.json
 create mode 100644 config/nomad.d/server.json
 create mode 100644 modules/server/nomad.nix
 create mode 100644 secrets/nomad.d/consul-token.json.age

diff --git a/config/consul.d/client.json b/config/consul.d/client.json
index 2111840..65357c0 100644
--- a/config/consul.d/client.json
+++ b/config/consul.d/client.json
@@ -1,7 +1,4 @@
 {
-  "datacenter": "samfelag",
-  "data_dir": "/opt/consul",
-
   "tls": {
     "defaults": {
       "verify_incoming": false,
@@ -14,28 +11,5 @@
   },
   "auto_encrypt": {
       "tls": true
-  },
-
-  "bind_addr": "{{ GetInterfaceIP \"tailscale0\" }}",
-  "advertise_addr": "{{ GetInterfaceIP \"tailscale0\" }}",
-  "client_addr": "0.0.0.0",
-  "retry_join": ["100.80.195.56", "100.107.148.47"],
-
-  "ports": {
-    "grpc_tls": 8502
-  },
-
-  "acl": {
-    "enabled": true,
-    "default_policy": "allow",
-    "enable_token_persistence": true
-  },
-
-  "connect": {
-    "enabled": true
-  },
-
-  "performance": {
-    "raft_multiplier": 1
   }
 }
diff --git a/config/consul.d/common.json b/config/consul.d/common.json
new file mode 100644
index 0000000..c6a87f6
--- /dev/null
+++ b/config/consul.d/common.json
@@ -0,0 +1,26 @@
+{
+  "datacenter": "samfelag",
+  "data_dir": "/opt/consul",
+
+  "bind_addr": "{{ GetInterfaceIP \"tailscale0\" }}",
+  "advertise_addr": "{{ GetInterfaceIP \"tailscale0\" }}",
+  "client_addr": "{{ GetInterfaceIP \"tailscale0\" }}",
+
+  "ports": {
+    "grpc_tls": 8502
+  },
+
+  "acl": {
+    "enabled": true,
+    "default_policy": "allow",
+    "enable_token_persistence": true
+  },
+
+  "connect": {
+    "enabled": true
+  },
+
+  "performance": {
+    "raft_multiplier": 1
+  }
+}
diff --git a/config/consul.d/server-list.json b/config/consul.d/server-list.json
new file mode 100644
index 0000000..de2bbef
--- /dev/null
+++ b/config/consul.d/server-list.json
@@ -0,0 +1,5 @@
+{
+  "retry_join": [
+      "100.80.195.56"
+  ]
+}
diff --git a/config/consul.d/server.json b/config/consul.d/server.json
new file mode 100644
index 0000000..b49445f
--- /dev/null
+++ b/config/consul.d/server.json
@@ -0,0 +1,22 @@
+{
+  "server": true,
+  "bootstrap_expect": 1,
+  "ui_config": {
+    "enabled": true
+  },
+  "tls": {
+    "defaults": {
+      "verify_incoming": true,
+      "verify_outgoing": true,
+      "ca_file": "/etc/consul.d/certs/consul-agent-ca.pem",
+      "cert_file": "/etc/consul.d/certs/samfelag-server-consul-0.pem",
+      "key_file": "/etc/consul.d/certs/samfelag-server-consul-0-key.pem"
+    },
+    "internal_rpc": {
+      "verify_server_hostname": true
+    }
+  },
+  "auto_encrypt": {
+      "allow_tls": true
+  }
+}
diff --git a/config/nomad.d/client.json b/config/nomad.d/client.json
new file mode 100644
index 0000000..fce9878
--- /dev/null
+++ b/config/nomad.d/client.json
@@ -0,0 +1,10 @@
+{
+    "client": {
+        "enabled": true,
+        "network_interface": "tailscale0",
+
+        "options": {
+            "docker.volumes.enabled": true
+        }
+    }
+}
diff --git a/config/nomad.d/common.json b/config/nomad.d/common.json
new file mode 100644
index 0000000..df8c68f
--- /dev/null
+++ b/config/nomad.d/common.json
@@ -0,0 +1,9 @@
+{
+  "datacenter": "samfelag",
+
+  "advertise": {
+    "http": "{{ GetInterfaceIP \"tailscale0\" }}",
+    "rpc": "{{ GetInterfaceIP \"tailscale0\" }}",
+    "serf": "{{ GetInterfaceIP \"tailscale0\" }}"
+  }
+}
diff --git a/config/nomad.d/host-reykjavik.json b/config/nomad.d/host-reykjavik.json
new file mode 100644
index 0000000..6496d8f
--- /dev/null
+++ b/config/nomad.d/host-reykjavik.json
@@ -0,0 +1,10 @@
+{
+    "client": {
+        "host_volume": {
+            "test": {
+              "path": "/mnt/raid1/nomad_volumes/nextcloud/nextcloud",
+              "read_only": false
+            }
+        }
+    }
+}
diff --git a/config/nomad.d/server.json b/config/nomad.d/server.json
new file mode 100644
index 0000000..8b3df69
--- /dev/null
+++ b/config/nomad.d/server.json
@@ -0,0 +1,6 @@
+{
+    "server": {
+      "enabled": true,
+      "bootstrap_expect": 1
+  }
+}
diff --git a/hosts/reykjavik/default.nix b/hosts/reykjavik/default.nix
index 31718c2..437ca92 100644
--- a/hosts/reykjavik/default.nix
+++ b/hosts/reykjavik/default.nix
@@ -39,6 +39,8 @@ in
     kind = "dark";
   };
 
+  # - Agenix ---------------------------------
+
   age.identityPaths = [
     "/home/marc/.ssh/id_ed25519"
   ];
@@ -62,10 +64,13 @@ in
     system.sshfs.enable = true;
 
     # - Server ----------------------------------
-    server.consul = {
-      enable = true;
-      agent-token = config.age.secrets."consul.d/agent-token-reykjavik.json".path;
-    };
+    # server.consul = {
+    #   enable = true;
+    #   agent-token = config.age.secrets."consul.d/agent-token-reykjavik.json".path;
+    # };
+    # server.nomad = {
+    #   enable = true;
+    # };
 
     # - Desktop ----------------------------------
     desktop = {
diff --git a/modules/secrets.nix b/modules/secrets.nix
index 774fcdc..55fa4ca 100644
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -1,8 +1,14 @@
 { config, pkgs, lib, ... }:
+let
+  consulCfg = config.samfelag.modules.server.consul;
+  nomadCfg = config.samfelag.modules.server.nomad;
+in
 {
   config = {
     age.secrets = {
-      # Consul -------------------------------
+    } //
+    # Consul -------------------------------
+    lib.optionalAttrs consulCfg.enable {
       "consul.d/gossip.json" = {
         file = ../secrets/consul.d/gossip.json.age;
         owner = "consul";
@@ -21,6 +27,13 @@
         group = "consul";
         mode = "644";
       };
+    } //
+    # Nomad -------------------------------
+    lib.optionalAttrs nomadCfg.enable {
+      "nomad.d/consul-token.json" = {
+        file = ../secrets/nomad.d/consul-token.json.age;
+        mode = "644";
+      };
     };
   };
 }
diff --git a/modules/server/consul.nix b/modules/server/consul.nix
index 1df37b9..50ab59b 100644
--- a/modules/server/consul.nix
+++ b/modules/server/consul.nix
@@ -2,11 +2,18 @@
 
 let
   cfg = config.samfelag.modules.server.consul;
+  nameservers = config.networking.nomeservers;
 in
 {
   options.samfelag.modules.server.consul = {
     enable = lib.mkEnableOption "consul";
 
+    server = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Set to true if configured a server - otherwise a client is assumed";
+    };
+
     agent-token = lib.mkOption {
       type = lib.types.str;
       description = "Agent token config file (should be secret)";
@@ -17,30 +24,51 @@ in
     services.consul = {
       enable = true;
       webUi = true;
+    } // lib.optionalAttrs cfg.server {
+      extraConfig = {
+        recursors = config.networking.nameservers;
+      };
     };
 
     environment.etc = {
-      agent-ca = {
+      consul-agent-ca = {
         # Consul agent CA
         target = "consul.d/certs/consul-agent-ca.pem";
         source = config.age.secrets."consul.d/consul-agent-ca.pem".path;
       };
-      gossip = {
+      consul-gossip = {
         # Gossip encryption key
         target = "consul.d/gossip.json";
         source = config.age.secrets."consul.d/gossip.json".path;
       };
-      client = {
-        # Client config
-        target = "consul.d/client.json";
-        source = ../../config/consul.d/client.json;
+      consul-common-cfg = {
+        # Common config
+        target = "consul.d/common.json";
+        source = ../../config/consul.d/common.json;
       };
-      agent-token = {
+      consul-server-list = {
+        # Server list
+        target = "consul.d/server-list.json";
+        source = ../../config/consul.d/server-list.json;
+      };
+      consul-agent-token = {
         # Agent token
         target = "consul.d/agent-token.json";
         source = cfg.agent-token;
       };
-    };
+    } // (if cfg.server then {
+      consul-server-cfg = {
+        # Server config
+        target = "consul.d/server.json";
+        source = ../../config/consul.d/server.json;
+      };
+    } else {
+      consul-client-cfg = {
+        # Client config
+        target = "consul.d/client.json";
+        source = ../../config/consul.d/client.json;
+      };
+    });
 
     # networking.firewall.allowedTCPPorts = [ 22 ];
   };
diff --git a/modules/server/nomad.nix b/modules/server/nomad.nix
new file mode 100644
index 0000000..72b9091
--- /dev/null
+++ b/modules/server/nomad.nix
@@ -0,0 +1,49 @@
+{ config, lib, pkgs, self, ... }:
+
+let
+  cfg = config.samfelag.modules.server.nomad;
+in
+{
+  options.samfelag.modules.server.nomad = {
+    enable = lib.mkEnableOption "nomad";
+
+    server = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Set to true if configured a server - otherwise a client is assumed";
+    };
+
+  };
+  config = lib.mkIf cfg.enable {
+    # services.consul.enable = true;
+    services.nomad = {
+      enable = true;
+      extraSettingsPaths = [ "/etc/nomad.d" ];
+    };
+    environment.etc = {
+      # Common configuration
+      nomad-common-cfg = {
+        target = "nomad.d/common.json";
+        source = ../../config/nomad.d/common.json;
+      };
+      # Consul token
+      nomad-consul-token = {
+        target = "nomad.d/consul-token.json";
+        source = config.age.secrets."nomad.d/consul-token.json".path;
+      };
+      # Client configuration
+      nomad-client-cfg = {
+        target = "nomad.d/client.json";
+        source = ../../config/nomad.d/client.json;
+      };
+    } // lib.optionalAttrs cfg.server {
+      # Server configuration
+      nomad-server-cfg = {
+        target = "nomad.d/server.json";
+        source = ../../config/nomad.d/server.json;
+      };
+    };
+
+    # networking.firewall.allowedTCPPorts = [ 22 ];
+  };
+}
diff --git a/secrets/nomad.d/consul-token.json.age b/secrets/nomad.d/consul-token.json.age
new file mode 100644
index 0000000..a652390
--- /dev/null
+++ b/secrets/nomad.d/consul-token.json.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 GWuf0Q BbOx6cx+uu2ortgM+FKdQ58Mq/88oiilwQG4H9omY0c
+yfQ092ZhIXDUfRK/1McsaKo3RnGvbmjtZcU1k769GX0
+--- ddjUdGmBLlYX2jY3FuEr11FudpoSP+gI+0PxIsJ1BZo
+Ø‰>_ÿüF¹$j?.Eœ´g·%kmÇ‘—ˆ9‘/zf…ù&g*VG^.ôÈ–T^¬ýHÛ·‰>ªp$Í+•–ÑEýqPù&mu ïÇ‡óÔÚè½ÀqËÊ¢f…µæÉvOnŒÑúHªèîÿW¿Áî±c8Mn¥Ólßpú¾ª°Õj'ô©ö’½xIŽ»ó'|
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 593f581..6109110 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -8,4 +8,7 @@ in
   "consul.d/consul-agent-ca.pem.age".publicKeys = [id-reykjavik];
   # Agent tokens
   "consul.d/agent-token-reykjavik.json.age".publicKeys = [id-reykjavik];
+
+  # -- Nomad -------------------------------
+  "nomad.d/consul-token.json.age".publicKeys = [id-reykjavik];
 }