#+title: Consul
* Server setup
** Create a server keypair <<create_keypair>>
Decrypt the CA (from the agenix secrets)
#+begin_src bash
agenix -i ~/.ssh/id_reykjavik -d consul.d/consul-agent-ca.pem.age > ~/tmp/consul-agent-ca.pem
agenix -i ~/.ssh/id_reykjavik -d consul.d/consul-agent-ca-key.pem.age > ~/tmp/consul-agent-ca-key.pem
#+end_src
Create the keypair using consul:
#+begin_src bash
nix-shell -p consul
consul tls cert create -server -dc samfelag
#+end_src
* ACLs
** Policies
*** Node Policy
Policy for agent tokens
#+begin_src hcl
agent_prefix "" {
  policy = "write"
}
node_prefix "" {
  policy = "write"
}
service_prefix "" {
  policy = "read"
}
session_prefix "" {
  policy = "read"
}
#+end_src
*** Nomad client
Policy for nomad clients (to be added in the consul.token field in the nomad config)
#+begin_src hcl
agent_prefix "" {
  policy = "read"
}

node_prefix "" {
  policy = "read"
}

service_prefix "" {
  policy = "write"
}
#+end_src
*** Nomad server
Policy for nomad servers (to be added in the consul.token field in the nomad config)
#+begin_src hcl
agent_prefix "" {
  policy = "read"
}

node_prefix "" {
  policy = "read"
}

service_prefix "" {
  policy = "write"
}

acl = "write"
#+end_src
** Node Agent Token
Create a token at http://hvannadal:8500/ui/samfelag/acls/tokens with the node policy.
Create the consul config file and encrypt it via agenix:
#+begin_src bash
agenix -e consul.d/agent-token-<host>.json.age
#+end_src
JSON config:
#+begin_src json
{
  "acl": {
    "tokens": {
      "default": "<AGENT_TOKEN>",
      "agent": "<AGENT_TOKEN>"
    }
  }
}
#+end_src
* Renew expired certificates
** Find the expired certificate
#+begin_src
openssl x509 -in /etc/consul.d/certs/samfelag-server-consul.pem -enddate -noout
#+end_src

Follow the steps described in [[create_keypair][Create a server keypair]].