more changes to nomad exec and docker-registry

input-output-hk · Sep 22, 2020 · ed391e6 · ed391e6
1 parent 89f87ce
commit ed391e6
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 8 deletions.
diff --git a/lib/nomad-job.nix b/lib/nomad-job.nix
@@ -475,6 +475,15 @@ let
           template inside of a Docker container, for example.
         '';
       };
+
+      env = mkOption {
+        type = bool;
+        default = false;
+        description = ''
+          Specifies the template should be read back as environment variables
+          for the task.
+        '';
+      };
     };
   });
 

diff --git a/modules/ingress.nix b/modules/ingress.nix
@@ -61,7 +61,7 @@ let
 
     backend consul
       default-server check maxconn 2000
-    option httpchk HEAD /
+      option httpchk HEAD /
     {{ range $key, $value := service "consul" }}
       server consul{{ $key }} {{.Address}}:8500
     {{- end }}

diff --git a/modules/nomad.nix b/modules/nomad.nix
@@ -1113,11 +1113,11 @@ in {
       ];
 
       environment = mkIf config.services.consul.enable {
-        CONSUL_CACERT = "/etc/ssl/certs/full.pem";
-        CONSUL_CLIENT_CERT = "/etc/ssl/certs/cert.pem";
-        CONSUL_CLIENT_KEY = "/etc/ssl/certs/cert-key.pem";
-        CONSUL_HTTP_ADDR = "https://127.0.0.1:8501";
-        CONSUL_HTTP_SSL = "true";
+        # CONSUL_CACERT = "/etc/ssl/certs/full.pem";
+        # CONSUL_CLIENT_CERT = "/etc/ssl/certs/cert.pem";
+        # CONSUL_CLIENT_KEY = "/etc/ssl/certs/cert-key.pem";
+        CONSUL_HTTP_ADDR = "http://127.0.0.1:8500";
+        # CONSUL_HTTP_SSL = "true";
         HOME = "/var/lib/nomad";
       };
 

diff --git a/modules/vault.nix b/modules/vault.nix
@@ -310,6 +310,8 @@ in {
     };
   };
 
+  options.services.vault-consul-token.enable = mkEnableOption "Enable Vault Consul Token";
+
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.vault-bin ];
 
@@ -379,9 +381,8 @@ in {
       };
     };
 
-    systemd.services.vault-consul-token = {
+    systemd.services.vault-consul-token = mkIf config.services.vault-consul-token.enable {
       after = [ "consul.service" ];
-      wants = [ "consul.service" ];
       wantedBy = [ "vault.service" ];
       before = [ "vault.service" ];
 

diff --git a/profiles/monitoring.nix b/profiles/monitoring.nix
@@ -37,13 +37,22 @@ in {
           default-server check maxconn 2000
           server grafana 127.0.0.1:3000
 
+        backend docker
+          default-server check maxconn 2000
+          option httpchk HEAD /
+          server docker 127.0.0.1:5000
+
         frontend http
           bind *:80
           acl http ssl_fc,not
           http-request redirect scheme https if http
 
         frontend https
           bind *:443 ssl crt ${acme-full} alpn h2,http/1.1
+
+          acl host_docker hdr(host) -i docker.${domain}
+          use_backend docker if host_docker
+
           default_backend grafana
       '';
     };

diff --git a/profiles/nomad/client.nix b/profiles/nomad/client.nix
@@ -13,5 +13,7 @@
     #   "/usr/bin/env" = "/usr/bin/env";
     #   "/nix/store" = "/nix/store";
     # };
+
+    vault.address = "https://vault.service.consul:8200";
   };
 }
diff --git a/profiles/vault/policies.nix b/profiles/vault/policies.nix
@@ -104,6 +104,12 @@ in {
 
       # Allow our own token to be renewed.
       "auth/token/renew-self".capabilities = [ u ];
+
+      "kv/data/nomad-cluster/*".capabilities = [ r l ];
+    };
+
+    nomad-cluster.path = {
+      "kv/data/nomad-cluster/*".capabilities = [ r l ];
     };
   };
 }