Skip to content

Commit

Permalink
add clients
Browse files Browse the repository at this point in the history
  • Loading branch information
@nrdxp
nrdxp committed Dec 2, 2022
1 parent 89f9132 commit 0511958
Show file tree
Hide file tree
Showing 2 changed files with 156 additions and 150 deletions.
287 changes: 142 additions & 145 deletions nix/cloud/hydrationProfile.nix
View file
@@ -1,169 +1,166 @@
{ inputs
, cell
,
{
inputs,
cell,
}: {
# Bitte Hydrate Module
# -----------------------------------------------------------------------
#
# reconcile with: `nix run .#clusters.[...].tf.hydrate-[cluster|app].(plan/apply)`
default =
{ lib
, config
, bittelib
, ...
}:
let
inherit (inputs) cells;
in {
imports = [
(cells.matterbridge.hydrationProfile.workload-policies-matterbridge)
];
default = {
lib,
config,
bittelib,
...
}: let
inherit (inputs) cells;
in {
imports = [
(cells.matterbridge.hydrationProfile.workload-policies-matterbridge)
];

# NixOS-level hydration
# --------------
cluster = {
name = "clockworks";
adminNames = [ "shay.bergmann" "david.arnold" ];
domain = "cw.iog.io";
kms = "arn:aws:kms:eu-central-1:337774054819:key/abfae3d9-60ee-41ed-a89a-63078cd5ed5d";
s3Bucket = "iog-clockworks-bitte";
};
# NixOS-level hydration
# --------------
cluster = {
name = "clockworks";
adminNames = ["shay.bergmann" "david.arnold"];
domain = "cw.iog.io";
kms = "arn:aws:kms:eu-central-1:337774054819:key/abfae3d9-60ee-41ed-a89a-63078cd5ed5d";
s3Bucket = "iog-clockworks-bitte";
s3Tempo = "cw-tempo";
};

services = {
nomad.namespaces = {
infra.description = "Painfully stateful stuff";
prod.description = "Production services";
};
services = {
nomad.namespaces = {
infra.description = "Painfully stateful stuff";
prod.description = "Production services";
};

vault.policies.nomad-cluster = {
path."consul/creds/matomo-analytics".capabilities = [ "read" ];
path."auth/token/create/matomo-analytics".capabilities = [ "update" ];
path."auth/token/roles/matomo-analytics".capabilities = [ "read" ];
};
vault.policies.nomad-cluster = {
path."consul/creds/matomo-analytics".capabilities = ["read"];
path."auth/token/create/matomo-analytics".capabilities = ["update"];
path."auth/token/roles/matomo-analytics".capabilities = ["read"];
};
};

# cluster level
# --------------
tf.hydrate-cluster.configuration = {
locals.policies = {
vault.matomo-analytics = {
path."kv/data/matomo-analytics/*".capabilities = [ "read" "list" ];
path."kv/metadata/matomo-analytics/*".capabilities = [ "read" "list" ];
path."consul/creds/matomo-analytics".capabilities = [ "read" ];
};
# cluster level
# --------------
tf.hydrate-cluster.configuration = {
locals.policies = {
vault.matomo-analytics = {
path."kv/data/matomo-analytics/*".capabilities = ["read" "list"];
path."kv/metadata/matomo-analytics/*".capabilities = ["read" "list"];
path."consul/creds/matomo-analytics".capabilities = ["read"];
};

consul.developer.service_prefix."*" = {
policy = "write";
intentions = "write";
};
consul.developer.service_prefix."*" = {
policy = "write";
intentions = "write";
};

nomad.admin = {
namespace."*".policy = "write";
host_volume."*".policy = "write";
};
nomad.admin = {
namespace."*".policy = "write";
host_volume."*".policy = "write";
};

nomad.developer.host_volume."*".policy = "write";
nomad.developer.namespace."*" = {
policy = "write";
capabilities = [
"submit-job"
"dispatch-job"
"read-logs"
"alloc-exec"
"alloc-node-exec"
"alloc-lifecycle"
];
};
nomad.developer.host_volume."*".policy = "write";
nomad.developer.namespace."*" = {
policy = "write";
capabilities = [
"submit-job"
"dispatch-job"
"read-logs"
"alloc-exec"
"alloc-node-exec"
"alloc-lifecycle"
];
};
};
};

# Observability State
# --------------
tf.hydrate-monitoring.configuration = {
resource =
inputs.bitte-cells._utils.library.mkMonitoring
# Alert attrset
{
# Organelle local declared dashboards
inherit
# (cell.alerts)
# clockworks-example-alerts
# Observability State
# --------------
tf.hydrate-monitoring.configuration = {
resource =
inputs.bitte-cells._utils.library.mkMonitoring
# Alert attrset
{
# Organelle local declared dashboards
inherit
# (cell.alerts)
# clockworks-example-alerts
# Upstream alerts which may have downstream deps can be imported here
;

# Upstream alerts which may have downstream deps can be imported here
;
# Upstream alerts not having downstream deps can be directly imported here
inherit
(inputs.bitte-cells.bitte.alerts)
bitte-consul
bitte-deadmanssnitch
bitte-loki
bitte-system
bitte-vault
bitte-vm-health
bitte-vm-standalone
bitte-vmagent
;

# Upstream alerts not having downstream deps can be directly imported here
inherit
(inputs.bitte-cells.bitte.alerts)
bitte-consul
bitte-deadmanssnitch
bitte-loki
bitte-system
bitte-vault
bitte-vm-health
bitte-vm-standalone
bitte-vmagent
;
# Patroni not currently used in clockworks
# inherit
# (inputs.bitte-cells.patroni.alerts)
# bitte-cells-patroni
# ;
}
# Dashboard attrset
{
# Organelle local declared dashboards
inherit
# (cell.dashboards)
# clockworks-example-dash
;

# Patroni not currently used in clockworks
# inherit
# (inputs.bitte-cells.patroni.alerts)
# bitte-cells-patroni
# ;
}
# Dashboard attrset
{
# Organelle local declared dashboards
inherit
# (cell.dashboards)
# clockworks-example-dash
;
# Upstream dashboards not having downstream deps can be directly imported here
inherit
(inputs.bitte-cells.bitte.dashboards)
bitte-consul
bitte-log
bitte-loki
bitte-nomad
bitte-system
bitte-traefik
bitte-vault
bitte-vmagent
bitte-vmalert
bitte-vm
bitte-vulnix
;

# Upstream dashboards not having downstream deps can be directly imported here
inherit
(inputs.bitte-cells.bitte.dashboards)
bitte-consul
bitte-log
bitte-loki
bitte-nomad
bitte-system
bitte-traefik
bitte-vault
bitte-vmagent
bitte-vmalert
bitte-vm
bitte-vulnix
;
# Patroni not currently used in clockworks
# inherit
# (inputs.bitte-cells.patroni.dashboards)
# bitte-cells-patroni
# ;
};
};

# Patroni not currently used in clockworks
# inherit
# (inputs.bitte-cells.patroni.dashboards)
# bitte-cells-patroni
# ;
};
# application state (terraform)
# -----------------------------
tf.hydrate-app.configuration = let
vault' = {
dir = ./. + "/kv/vault";
prefix = "kv";
};
consul' = {
dir = ./. + "/kv/consul";
prefix = "config";
};
vault = bittelib.mkVaultResources {inherit (vault') dir prefix;};
consul = bittelib.mkConsulResources {inherit (consul') dir prefix;};
in {
data = {inherit (vault) sops_file;};
resource = {
inherit (vault) vault_generic_secret;
inherit (consul) consul_keys;
};

# application state (terraform)
# -----------------------------
tf.hydrate-app.configuration =
let
vault' = {
dir = ./. + "/kv/vault";
prefix = "kv";
};
consul' = {
dir = ./. + "/kv/consul";
prefix = "config";
};
vault = bittelib.mkVaultResources { inherit (vault') dir prefix; };
consul = bittelib.mkConsulResources { inherit (consul') dir prefix; };
in
{
data = { inherit (vault) sops_file; };
resource = {
inherit (vault) vault_generic_secret;
inherit (consul) consul_keys;
};
};
};
};
}
19 changes: 14 additions & 5 deletions nix/metal/bitteProfile.nix
View file
Expand Up @@ -43,7 +43,7 @@ in {
defaultModules = [(bitte + "/profiles/client.nix")];

eachRegion = attrs: [
# (attrs // {region = "eu-central-1";})
(attrs // {region = "eu-central-1";})
# (attrs // {region = "eu-west-1";})
# (attrs // {region = "us-east-2";})
];
Expand All @@ -54,19 +54,26 @@ in {
(
(eachRegion {
instanceType = "t3a.xlarge";
desiredCapacity = 6;
desiredCapacity = 4;
volumeSize = 500;
modules =
defaultModules
++ [
{
services.nomad.client.meta = {
cardano = "yeah";
patroni = "yeah";
};
}
(
bittelib.mkNomadHostVolumesConfig
["infra-matomo" "infra-matomo-db"]
["infra-database"]
(n: "/var/lib/nomad-volumes/${n}")
)
];
node_class = "development";
}) ++
node_class = "infra";
})
++
# (eachRegion {
# instanceType = "t3.xlarge";
# volumeSize = 500;
Expand Down Expand Up @@ -161,6 +168,7 @@ in {
modules = [
(bitte + /profiles/monitoring.nix)
{
services.monitoring.useTempo = false;
services.loki.configuration.table_manager = {
retention_deletes_enabled = true;
retention_period = "28d";
Expand All @@ -184,6 +192,7 @@ in {
services.traefik.acmeDnsCertMgr = false;
services.traefik.useVaultBackend = true;
services.traefik.useDockerRegistry = false;
services.traefik.enableTracing = false;
}
];
};
Expand Down

0 comments on commit 0511958

Please sign in to comment.