marc/samfelag
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added server options for nomad and consul

Browse Source
This commit is contained in:
marc
2024-02-11 20:58:26 +01:00
parent 042e246b1b
commit e716f7cb7d
14 changed files with 204 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
config/consul.d/client.json
View File

@@ -1,7 +1,4 @@
{ {
"datacenter": "samfelag",
"data_dir": "/opt/consul",
"tls": { "tls": {
"defaults": { "defaults": {
"verify_incoming": false, "verify_incoming": false,
@@ -14,28 +11,5 @@
}, },
"auto_encrypt": { "auto_encrypt": {
"tls": true "tls": true
},
"bind_addr": "{{ GetInterfaceIP \"tailscale0\" }}",
"advertise_addr": "{{ GetInterfaceIP \"tailscale0\" }}",
"client_addr": "0.0.0.0",
"retry_join": ["100.80.195.56", "100.107.148.47"],
"ports": {
"grpc_tls": 8502
},
"acl": {
"enabled": true,
"default_policy": "allow",
"enable_token_persistence": true
},
"connect": {
"enabled": true
},
"performance": {
"raft_multiplier": 1
} }
} }

26
config/consul.d/common.json Normal file
View File

@@ -0,0 +1,26 @@
{
"datacenter": "samfelag",
"data_dir": "/opt/consul",
"bind_addr": "{{ GetInterfaceIP \"tailscale0\" }}",
"advertise_addr": "{{ GetInterfaceIP \"tailscale0\" }}",
"client_addr": "{{ GetInterfaceIP \"tailscale0\" }}",
"ports": {
"grpc_tls": 8502
},
"acl": {
"enabled": true,
"default_policy": "allow",
"enable_token_persistence": true
},
"connect": {
"enabled": true
},
"performance": {
"raft_multiplier": 1
}
}

5
config/consul.d/server-list.json Normal file
View File

@@ -0,0 +1,5 @@
{
"retry_join": [
"100.80.195.56"
]
}

22
config/consul.d/server.json Normal file
View File

@@ -0,0 +1,22 @@
{
"server": true,
"bootstrap_expect": 1,
"ui_config": {
"enabled": true
},
"tls": {
"defaults": {
"verify_incoming": true,
"verify_outgoing": true,
"ca_file": "/etc/consul.d/certs/consul-agent-ca.pem",
"cert_file": "/etc/consul.d/certs/samfelag-server-consul-0.pem",
"key_file": "/etc/consul.d/certs/samfelag-server-consul-0-key.pem"
},
"internal_rpc": {
"verify_server_hostname": true
}
},
"auto_encrypt": {
"allow_tls": true
}
}

10
config/nomad.d/client.json Normal file
View File

@@ -0,0 +1,10 @@
{
"client": {
"enabled": true,
"network_interface": "tailscale0",
"options": {
"docker.volumes.enabled": true
}
}
}

9
config/nomad.d/common.json Normal file
View File

@@ -0,0 +1,9 @@
{
"datacenter": "samfelag",
"advertise": {
"http": "{{ GetInterfaceIP \"tailscale0\" }}",
"rpc": "{{ GetInterfaceIP \"tailscale0\" }}",
"serf": "{{ GetInterfaceIP \"tailscale0\" }}"
}
}

10
config/nomad.d/host-reykjavik.json Normal file
View File

@@ -0,0 +1,10 @@
{
"client": {
"host_volume": {
"test": {
"path": "/mnt/raid1/nomad_volumes/nextcloud/nextcloud",
"read_only": false
}
}
}
}

6
config/nomad.d/server.json Normal file
View File

@@ -0,0 +1,6 @@
{
"server": {
"enabled": true,
"bootstrap_expect": 1
}
}

13
hosts/reykjavik/default.nix
View File

@@ -39,6 +39,8 @@ in
kind = "dark"; kind = "dark";
}; };
# - Agenix ---------------------------------
age.identityPaths = [ age.identityPaths = [
"/home/marc/.ssh/id_ed25519" "/home/marc/.ssh/id_ed25519"
]; ];
@@ -62,10 +64,13 @@ in
system.sshfs.enable = true; system.sshfs.enable = true;
# - Server ---------------------------------- # - Server ----------------------------------
server.consul = { # server.consul = {
enable = true; # enable = true;
agent-token = config.age.secrets."consul.d/agent-token-reykjavik.json".path; # agent-token = config.age.secrets."consul.d/agent-token-reykjavik.json".path;
}; # };
# server.nomad = {
# enable = true;
# };
# - Desktop ---------------------------------- # - Desktop ----------------------------------
desktop = { desktop = {

13
modules/secrets.nix
View File

@@ -1,8 +1,14 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let
consulCfg = config.samfelag.modules.server.consul;
nomadCfg = config.samfelag.modules.server.nomad;
in
{ {
config = { config = {
age.secrets = { age.secrets = {
} //
# Consul ------------------------------- # Consul -------------------------------
lib.optionalAttrs consulCfg.enable {
"consul.d/gossip.json" = { "consul.d/gossip.json" = {
file = ../secrets/consul.d/gossip.json.age; file = ../secrets/consul.d/gossip.json.age;
owner = "consul"; owner = "consul";
@@ -21,6 +27,13 @@
group = "consul"; group = "consul";
mode = "644"; mode = "644";
}; };
} //
# Nomad -------------------------------
lib.optionalAttrs nomadCfg.enable {
"nomad.d/consul-token.json" = {
file = ../secrets/nomad.d/consul-token.json.age;
mode = "644";
};
}; };
}; };
} }

42
modules/server/consul.nix
View File

@@ -2,11 +2,18 @@
let let
cfg = config.samfelag.modules.server.consul; cfg = config.samfelag.modules.server.consul;
nameservers = config.networking.nomeservers;
in in
{ {
options.samfelag.modules.server.consul = { options.samfelag.modules.server.consul = {
enable = lib.mkEnableOption "consul"; enable = lib.mkEnableOption "consul";
server = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Set to true if configured a server - otherwise a client is assumed";
};
agent-token = lib.mkOption { agent-token = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "Agent token config file (should be secret)"; description = "Agent token config file (should be secret)";
@@ -17,30 +24,51 @@ in
services.consul = { services.consul = {
enable = true; enable = true;
webUi = true; webUi = true;
} // lib.optionalAttrs cfg.server {
extraConfig = {
recursors = config.networking.nameservers;
};
}; };
environment.etc = { environment.etc = {
agent-ca = { consul-agent-ca = {
# Consul agent CA # Consul agent CA
target = "consul.d/certs/consul-agent-ca.pem"; target = "consul.d/certs/consul-agent-ca.pem";
source = config.age.secrets."consul.d/consul-agent-ca.pem".path; source = config.age.secrets."consul.d/consul-agent-ca.pem".path;
}; };
gossip = { consul-gossip = {
# Gossip encryption key # Gossip encryption key
target = "consul.d/gossip.json"; target = "consul.d/gossip.json";
source = config.age.secrets."consul.d/gossip.json".path; source = config.age.secrets."consul.d/gossip.json".path;
}; };
client = { consul-common-cfg = {
# Client config # Common config
target = "consul.d/client.json"; target = "consul.d/common.json";
source = ../../config/consul.d/client.json; source = ../../config/consul.d/common.json;
}; };
agent-token = { consul-server-list = {
# Server list
target = "consul.d/server-list.json";
source = ../../config/consul.d/server-list.json;
};
consul-agent-token = {
# Agent token # Agent token
target = "consul.d/agent-token.json"; target = "consul.d/agent-token.json";
source = cfg.agent-token; source = cfg.agent-token;
}; };
} // (if cfg.server then {
consul-server-cfg = {
# Server config
target = "consul.d/server.json";
source = ../../config/consul.d/server.json;
}; };
} else {
consul-client-cfg = {
# Client config
target = "consul.d/client.json";
source = ../../config/consul.d/client.json;
};
});
# networking.firewall.allowedTCPPorts = [ 22 ]; # networking.firewall.allowedTCPPorts = [ 22 ];
}; };

49
modules/server/nomad.nix Normal file
View File

@@ -0,0 +1,49 @@
{ config, lib, pkgs, self, ... }:
let
cfg = config.samfelag.modules.server.nomad;
in
{
options.samfelag.modules.server.nomad = {
enable = lib.mkEnableOption "nomad";
server = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Set to true if configured a server - otherwise a client is assumed";
};
};
config = lib.mkIf cfg.enable {
# services.consul.enable = true;
services.nomad = {
enable = true;
extraSettingsPaths = [ "/etc/nomad.d" ];
};
environment.etc = {
# Common configuration
nomad-common-cfg = {
target = "nomad.d/common.json";
source = ../../config/nomad.d/common.json;
};
# Consul token
nomad-consul-token = {
target = "nomad.d/consul-token.json";
source = config.age.secrets."nomad.d/consul-token.json".path;
};
# Client configuration
nomad-client-cfg = {
target = "nomad.d/client.json";
source = ../../config/nomad.d/client.json;
};
} // lib.optionalAttrs cfg.server {
# Server configuration
nomad-server-cfg = {
target = "nomad.d/server.json";
source = ../../config/nomad.d/server.json;
};
};
# networking.firewall.allowedTCPPorts = [ 22 ];
};
}

5
secrets/nomad.d/consul-token.json.age Normal file
View File

@@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 GWuf0Q BbOx6cx+uu2ortgM+FKdQ58Mq/88oiilwQG4H9omY0c
yfQ092ZhIXDUfRK/1McsaKo3RnGvbmjtZcU1k769GX0
--- ddjUdGmBLlYX2jY3FuEr11FudpoSP+gI+0PxIsJ1BZo
؉>_ÿüF¹$j?.<2E>´ %kmLj9/zf…ù&g*VG^.ôÈT^¬ýHÛ·‰>ªp$Í+•ÑEýqPù&mu ïLJóÔÚè½ÀqËÊ¢f…µæÉvOnŒÑúHªèîÿW¿<57>Áî±c8Mn¥Ólßpú <0B>¾ª°Õj'ô©ö½xIŽ»ó'|

3
secrets/secrets.nix
View File

@@ -8,4 +8,7 @@ in
"consul.d/consul-agent-ca.pem.age".publicKeys = [id-reykjavik]; "consul.d/consul-agent-ca.pem.age".publicKeys = [id-reykjavik];
# Agent tokens # Agent tokens
"consul.d/agent-token-reykjavik.json.age".publicKeys = [id-reykjavik]; "consul.d/agent-token-reykjavik.json.age".publicKeys = [id-reykjavik];
# -- Nomad -------------------------------
"nomad.d/consul-token.json.age".publicKeys = [id-reykjavik];
} }