WIP: Consul ACLs #117
2 changed files with 68 additions and 1 deletions
65
cluster/services/consul/bootstrap.nix
Normal file
65
cluster/services/consul/bootstrap.nix
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
{ cluster, config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
sentinelFile = "/var/lib/consul/nixos-acl-bootstrapped";
|
||||||
|
bootstrapTokenFile = "/run/keys/consul-bootstrap-token";
|
||||||
|
bootstrapConfig = "consul-bootstrap-config.json";
|
||||||
|
writeRules = rules: pkgs.writeText "consul-policy.json" (builtins.toJSON rules);
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
systemd.services = {
|
||||||
|
consul-acl-bootstrap = {
|
||||||
|
requires = [ "consul.service" ];
|
||||||
|
after = [ "consul.service" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
||||||
|
unitConfig.ConditionPathExists = "!${sentinelFile}";
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
PrivateTmp = true;
|
||||||
|
};
|
||||||
|
environment.CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
|
||||||
|
path = [
|
||||||
|
config.services.consul.package
|
||||||
|
pkgs.jq
|
||||||
|
];
|
||||||
|
script = ''
|
||||||
|
umask 77
|
||||||
|
if consul acl bootstrap --format=json > ${bootstrapConfig}; then
|
||||||
|
echo Bootstrapping:
|
||||||
|
jq -r .SecretID < ${bootstrapConfig} > ${bootstrapTokenFile}
|
||||||
|
export CONSUL_HTTP_TOKEN_FILE=${bootstrapTokenFile}
|
||||||
|
consul acl policy create --name operator-read --description "Read-only operator actions" --rules @${writeRules { operator = "read"; }}
|
||||||
|
consul acl policy create --name smt-read --description "Allow reading the encrypted system management token" --rules @${writeRules { key_prefix."secrets/locksmith/consul-systemManagementToken/".policy = "read"; }}
|
||||||
|
consul acl token update --id 00000000-0000-0000-0000-000000000002 --append-policy-name operator-read --append-policy-name smt-read
|
||||||
|
else
|
||||||
|
echo Bootstrap is already in progress elsewhere.
|
||||||
|
touch ${sentinelFile}
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
locksmith-provider-consul = {
|
||||||
|
unitConfig.ConditionPathExists = bootstrapTokenFile;
|
||||||
|
distributed.enable = lib.mkForce false;
|
||||||
|
environment = {
|
||||||
|
CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
|
||||||
|
CONSUL_HTTP_TOKEN_FILE = bootstrapTokenFile;
|
||||||
|
};
|
||||||
|
postStop = ''
|
||||||
|
rm -f ${bootstrapTokenFile}
|
||||||
|
touch ${sentinelFile}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.locksmith.providers.consul = {
|
||||||
|
wantedBy = [ "consul-acl-bootstrap.service" ];
|
||||||
|
after = [ "consul-acl-bootstrap.service" ];
|
||||||
|
secrets.systemManagementToken = {
|
||||||
|
nodes = cluster.config.services.consul.nodes.agent;
|
||||||
|
checkUpdate = "test -e ${bootstrapTokenFile}";
|
||||||
|
command = "cat ${bootstrapTokenFile}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -14,6 +14,7 @@ in
|
||||||
nodes = {
|
nodes = {
|
||||||
agent = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
|
agent = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
|
||||||
ready = config.services.consul.nodes.agent;
|
ready = config.services.consul.nodes.agent;
|
||||||
|
bootstrap = [ "grail" "VEGAS" ];
|
||||||
};
|
};
|
||||||
nixos = {
|
nixos = {
|
||||||
agent = [
|
agent = [
|
||||||
|
@ -21,10 +22,11 @@ in
|
||||||
./remote-api.nix
|
./remote-api.nix
|
||||||
];
|
];
|
||||||
ready = ./ready.nix;
|
ready = ./ready.nix;
|
||||||
|
bootstrap = ./bootstrap.nix;
|
||||||
};
|
};
|
||||||
simulacrum = {
|
simulacrum = {
|
||||||
enable = true;
|
enable = true;
|
||||||
deps = [ "wireguard" ];
|
deps = [ "wireguard" "locksmith" ];
|
||||||
settings = ./test.nix;
|
settings = ./test.nix;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue