more job fixes for acl

clusters/infra/production/default.nix

@@ -52,11 +52,12 @@ in {
       [ c r u d l ];
 
     cicero.path = {
+      "auth/token/lookup".capabilities = [ u ];
+      "auth/token/lookup-self".capabilities = [ r ];
+      "auth/token/renew-self".capabilities = [ u ];
       "kv/data/cicero/*".capabilities = [ r l ];
       "kv/metadata/cicero/*".capabilities = [ r l ];
-      "auth/token/renew-self".capabilities = [ u ];
-      "auth/token/lookup-self".capabilities = [ r ];
-      "auth/token/lookup".capabilities = [ u ];
+      "nomad/creds/cicero".capabilities = [ r u ];
     };
   };
 

deploy.cue

@@ -12,27 +12,12 @@ for jobName, jobValue in job {
 
 job: [string]: {
 	id?:  string
-	type: "batch" | "service"
+	type: "batch" | *"service"
 	datacenters: ["eu-central-1", "us-east-2"]
 	namespace: "cicero"
 	group: [string]: {
 		task: [string]: {
 			driver: "nix"
-			resources: [...#types.resource]
-			config: [...#types.config]
 		}
 	}
 }
-
-#types: {
-	resource: {
-		memory: number
-		cpu:    number
-	}
-
-	config: {
-		nixos?: string
-		packages?: [...string]
-		command: [...string]
-	}
-}

jobs/cicero.cue

@@ -5,10 +5,10 @@ job: {
 		type: "service"
 
 		group: cicero: {
-			network: [{
+			network: {
 				mode: "host"
 				port: http: static: "8080"
-			}]
+			}
 
 			service: [{
 				name:         "cicero"
@@ -39,21 +39,30 @@ job: {
 					change_mode: "restart"
 				}
 
-				resources: [{
+				resources: {
 					memory: 1024
 					cpu:    300
-				}]
+				}
+
+				env: {
+					DATABASE_URL:  "sqlite:db/database.sqlite3"
+					NIX_CONFIG:    "experimental-features = nix-command flakes"
+					SSL_CERT_FILE: "/current-profile/etc/ssl/certs/ca-bundle.crt"
+					NOMAD_ADDR:    "https://nomad.infra.aws.iohkdev.io"
+					VAULT_ADDR:    "https://vault.infra.aws.iohkdev.io"
+				}
 
 				config: [{
 					packages: [
-						"github:input-output-hk/cicero/91639e90a6746a880ed4c1d315385230f4ea68fd#defaultPackage.x86_64-linux",
+						"github:input-output-hk/cicero/097d5a7db40cbf84a7a03f0e05aaa21c6760b713#defaultPackage.x86_64-linux",
 						"github:nixos/nixpkgs/nixpkgs-unstable#nixUnstable",
 						"github:nixos/nixpkgs/nixpkgs-unstable#bash",
 						"github:nixos/nixpkgs/nixpkgs-unstable#coreutils",
 						"github:nixos/nixpkgs/nixpkgs-unstable#shadow",
 						"github:nixos/nixpkgs/nixpkgs-unstable#git",
 						"github:nixos/nixpkgs/nixpkgs-unstable#cacert",
 						"github:nixos/nixpkgs/nixpkgs-unstable#dbmate",
+						"github:nixos/nixpkgs/nixpkgs-unstable#vault-bin",
 					]
 
 					command: ["/bin/bash", "/local/entrypoint.sh"]
@@ -64,10 +73,9 @@ job: {
 					data: """
 						set -exuo pipefail
 
-						export SSL_CERT_FILE="/current-profile/etc/ssl/certs/ca-bundle.crt"
-						export NIX_CONFIG="
-						experimental-features = nix-command flakes
-						"
+						env
+						NOMAD_TOKEN="$(vault read -field secret_id nomad/creds/cicero)"
+						export NOMAD_TOKEN
 
 						mkdir -p /etc
 						echo 'nixbld:x:30000:nixbld1' > /etc/group
@@ -76,7 +84,6 @@ job: {
 
 						git clone https://github.com/input-output-hk/cicero
 						cd cicero
-						export DATABASE_URL="sqlite:db/database.sqlite3"
 						dbmate up
 
 						exec /bin/cicero all --liftbridge-addr liftbridge.service.consul:9292

jobs/liftbridge.cue

@@ -5,8 +5,6 @@ import (
 )
 
 job: liftbridge: {
-	type: "service"
-
 	update: {
 		max_parallel:      1
 		health_check:      "checks"
@@ -22,11 +20,11 @@ job: liftbridge: {
 			#id:   number
 			#seed: bool
 
-			network: [{
+			network: {
 				mode: "host"
 				port: nats: static:       "4222"
 				port: liftbridge: static: "9292"
-			}]
+			}
 
 			service: [{
 				name:         "liftbridge"
@@ -57,10 +55,10 @@ job: liftbridge: {
 			task: liftbridge: {
 				driver: "nix"
 
-				resources: [{
+				resources: {
 					memory: 64
 					cpu:    200
-				}]
+				}
 
 				config: [{
 					packages: ["github:input-output-hk/cicero#liftbridge"]