add cicero

input-output-hk · Oct 28, 2021 · e24c1b5 · e24c1b5
1 parent 45f21ec
commit e24c1b5
Show file tree

Hide file tree

Showing 10 changed files with 657 additions and 280 deletions.
diff --git a/clusters/infra/production/bitte-ci.nix b/clusters/infra/production/bitte-ci.nix
@@ -26,7 +26,7 @@
       nomadTokenFile = "/run/keys/bitte-ci.nomad";
       artifactSecretFile = "/run/keys/bitte-ci.artifact";
       githubHookSecretFile = "/run/keys/bitte-ci.secret";
-      nomadUrl = "https://${config.cluster.instances.core-1.privateIP}:4646";
+      nomadUrl = "https://nomad.${config.cluster.domain}";
       nomadSslCa = "/etc/ssl/certs/ca.pem";
       nomadSslKey = "/etc/ssl/certs/cert-key.pem";
       nomadSslCert = "/etc/ssl/certs/cert.pem";

diff --git a/clusters/infra/production/client.nix b/clusters/infra/production/client.nix
@@ -1,5 +1,7 @@
-{ pkgs, lib, ... }: {
-  services.nomad.client.chroot_env = lib.mkForce {
-    "/etc/passwd" = "/etc/passwd";
-  };
+{ pkgs, lib, self, ... }: {
+  services.nomad.client.chroot_env =
+    lib.mkForce { "/etc/passwd" = "/etc/passwd"; };
+
+  services.nomad.pluginDir =
+    "${self.inputs.nomad-driver-nix.defaultPackage.x86_64-linux}/bin";
 }
diff --git a/clusters/infra/production/default.nix b/clusters/infra/production/default.nix
@@ -15,28 +15,49 @@ in {
     intentions = "write";
   };
 
-  services.nomad.policies.admin.namespace."infra-*".policy = "write";
-  services.nomad.policies.developer.namespace."infra-*".policy = "write";
-
-  services.nomad.policies.bitte-ci = {
-    description = "Bitte CI (Run Jobs and monitor them)";
-    namespace.default = {
-      policy = "read";
-      capabilities = [ "submit-job" "dispatch-job" "read-logs" "read-job" ];
+  services.nomad.policies = {
+    admin.namespace."infra-*".policy = "write";
+    developer.namespace."infra-*".policy = "write";
+    bitte-ci = {
+      description = "Bitte CI (Run Jobs and monitor them)";
+      namespace.default = {
+        policy = "read";
+        capabilities = [ "submit-job" "dispatch-job" "read-logs" "read-job" ];
+      };
+      node.policy = "read";
+    };
+
+    cicero = {
+      description = "Cicero (Run Jobs and monitor them)";
+      namespace.cicero = {
+        policy = "read";
+        capabilities = [ "submit-job" "dispatch-job" "read-logs" "read-job" ];
+      };
     };
-    node.policy = "read";
   };
 
-  services.vault.policies = {
-    admin.path."secret/*".capabilities =
-      [ "create" "read" "update" "delete" "list" ];
-    terraform.path."secret/data/vbk/*".capabilities =
-      [ "create" "read" "update" "delete" "list" ];
-    terraform.path."secret/metadata/vbk/*".capabilities = [ "delete" ];
+  services.vault.policies = let
+    c = "create";
+    r = "read";
+    u = "update";
+    d = "delete";
+    l = "list";
+  in {
+    admin.path."secret/*".capabilities = [ c r u d l ];
+    terraform.path."secret/data/vbk/*".capabilities = [ c r u d l ];
+    terraform.path."secret/metadata/vbk/*".capabilities = [ d ];
     vit-terraform.path."secret/data/vbk/vit-testnet/*".capabilities =
-      [ "create" "read" "update" "delete" "list" ];
+      [ c r u d l ];
     vit-terraform.path."secret/metadata/vbk/vit-testnet/*".capabilities =
-      [ "create" "read" "update" "delete" "list" ];
+      [ c r u d l ];
+
+    cicero.path = {
+      "kv/data/cicero/*".capabilities = [ r l ];
+      "kv/metadata/cicero/*".capabilities = [ r l ];
+      "auth/token/renew-self".capabilities = [ u ];
+      "auth/token/lookup-self".capabilities = [ r ];
+      "auth/token/lookup".capabilities = [ u ];
+    };
   };
 
   tf.core.configuration = let
@@ -119,7 +140,10 @@ in {
     };
   };
 
-  services.nomad.namespaces = { infra-default.description = "Infra Default"; };
+  services.nomad.namespaces = {
+    infra-default.description = "Infra Default";
+    cicero.description = "Cicero";
+  };
 
   nix.binaryCaches = [
     "https://hydra.iohk.io"
@@ -175,7 +199,7 @@ in {
 
           modules = [
             (bitte + /profiles/client.nix)
-            self.inputs.ops-lib.nixosModules.zfs-runtime
+            (bitte + /profiles/zfs-runtime.nix)
             "${self.inputs.nixpkgs}/nixos/modules/profiles/headless.nix"
             "${self.inputs.nixpkgs}/nixos/modules/virtualisation/ec2-data.nix"
             ./client.nix

diff --git a/cue.mod/module.cue b/cue.mod/module.cue
@@ -0,0 +1 @@
+module: "github.com/input-output-hk/infra-ops/pkg"
diff --git a/deploy.cue b/deploy.cue
@@ -0,0 +1,38 @@
+package deploy
+
+import (
+	jobDefs "github.com/input-output-hk/infra-ops/pkg/jobs:jobs"
+)
+
+job: jobDefs.job
+
+for jobName, jobValue in job {
+	jobs: "\(jobName)": job: "\(jobName)": jobValue
+}
+
+job: [string]: {
+	id?:  string
+	type: "batch" | "service"
+	datacenters: ["eu-central-1", "us-east-2"]
+	namespace: "cicero"
+	group: [string]: {
+		task: [string]: {
+			driver: "nix"
+			resources: [...#types.resource]
+			config: [...#types.config]
+		}
+	}
+}
+
+#types: {
+	resource: {
+		memory: number
+		cpu:    number
+	}
+
+	config: {
+		nixos?: string
+		packages?: [...string]
+		command: [...string]
+	}
+}